/src/gnutls/lib/cert-cred-x509.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2002-2016 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2016-2017 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GnuTLS. |
8 | | * |
9 | | * The GnuTLS is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | #include "gnutls_int.h" |
25 | | #include "auth.h" |
26 | | #include "errors.h" |
27 | | #include <auth/cert.h> |
28 | | #include "dh.h" |
29 | | #include "num.h" |
30 | | #include "datum.h" |
31 | | #include <pk.h> |
32 | | #include <algorithms.h> |
33 | | #include <global.h> |
34 | | #include <record.h> |
35 | | #include <tls-sig.h> |
36 | | #include <state.h> |
37 | | #include <pk.h> |
38 | | #include "str.h" |
39 | | #include <debug.h> |
40 | | #include <x509_b64.h> |
41 | | #include <x509.h> |
42 | | #include "x509/common.h" |
43 | | #include "x509/x509_int.h" |
44 | | #include <str_array.h> |
45 | | #include <gnutls/x509.h> |
46 | | #include "read-file.h" |
47 | | #include "system-keys.h" |
48 | | #include "urls.h" |
49 | | #include "cert-cred.h" |
50 | | #ifdef _WIN32 |
51 | | # include <wincrypt.h> |
52 | | #endif |
53 | | |
54 | | /* |
55 | | * This file includes functions related to adding certificates and other |
56 | | * related objects in a certificate credentials structure. |
57 | | */ |
58 | | |
59 | | /* Returns the name of the certificate of a null name |
60 | | */ |
61 | | int _gnutls_get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t * names) |
62 | 0 | { |
63 | 0 | size_t max_size; |
64 | 0 | int i, ret = 0, ret2; |
65 | 0 | char name[MAX_CN]; |
66 | 0 | unsigned have_dns_name = 0; |
67 | |
|
68 | 0 | for (i = 0; !(ret < 0); i++) { |
69 | 0 | max_size = sizeof(name); |
70 | |
|
71 | 0 | ret = |
72 | 0 | gnutls_x509_crt_get_subject_alt_name(crt, i, name, |
73 | 0 | &max_size, NULL); |
74 | 0 | if (ret == GNUTLS_SAN_DNSNAME) { |
75 | 0 | have_dns_name = 1; |
76 | |
|
77 | 0 | ret2 = |
78 | 0 | _gnutls_str_array_append_idna(names, name, |
79 | 0 | max_size); |
80 | 0 | if (ret2 < 0) { |
81 | 0 | _gnutls_str_array_clear(names); |
82 | 0 | return gnutls_assert_val(ret2); |
83 | 0 | } |
84 | 0 | } |
85 | 0 | } |
86 | | |
87 | 0 | if (have_dns_name == 0) { |
88 | 0 | max_size = sizeof(name); |
89 | 0 | ret = |
90 | 0 | gnutls_x509_crt_get_dn_by_oid(crt, OID_X520_COMMON_NAME, 0, |
91 | 0 | 0, name, &max_size); |
92 | 0 | if (ret >= 0) { |
93 | 0 | ret = |
94 | 0 | _gnutls_str_array_append_idna(names, name, |
95 | 0 | max_size); |
96 | 0 | if (ret < 0) { |
97 | 0 | _gnutls_str_array_clear(names); |
98 | 0 | return gnutls_assert_val(ret); |
99 | 0 | } |
100 | 0 | } |
101 | 0 | } |
102 | | |
103 | 0 | return 0; |
104 | 0 | } |
105 | | |
106 | | /* Reads a DER encoded certificate list from memory and stores it to a |
107 | | * gnutls_cert structure. Returns the number of certificates parsed. |
108 | | */ |
109 | | static int |
110 | | parse_der_cert_mem(gnutls_certificate_credentials_t res, |
111 | | gnutls_privkey_t key, |
112 | | const void *input_cert, int input_cert_size) |
113 | 0 | { |
114 | 0 | gnutls_datum_t tmp; |
115 | 0 | gnutls_x509_crt_t crt; |
116 | 0 | gnutls_pcert_st *ccert; |
117 | 0 | int ret; |
118 | 0 | gnutls_str_array_t names; |
119 | |
|
120 | 0 | _gnutls_str_array_init(&names); |
121 | |
|
122 | 0 | ccert = gnutls_malloc(sizeof(*ccert)); |
123 | 0 | if (ccert == NULL) { |
124 | 0 | gnutls_assert(); |
125 | 0 | return GNUTLS_E_MEMORY_ERROR; |
126 | 0 | } |
127 | | |
128 | 0 | ret = gnutls_x509_crt_init(&crt); |
129 | 0 | if (ret < 0) { |
130 | 0 | gnutls_assert(); |
131 | 0 | goto cleanup; |
132 | 0 | } |
133 | | |
134 | 0 | tmp.data = (uint8_t *) input_cert; |
135 | 0 | tmp.size = input_cert_size; |
136 | |
|
137 | 0 | ret = gnutls_x509_crt_import(crt, &tmp, GNUTLS_X509_FMT_DER); |
138 | 0 | if (ret < 0) { |
139 | 0 | gnutls_assert(); |
140 | 0 | gnutls_x509_crt_deinit(crt); |
141 | 0 | goto cleanup; |
142 | 0 | } |
143 | | |
144 | 0 | ret = _gnutls_get_x509_name(crt, &names); |
145 | 0 | if (ret < 0) { |
146 | 0 | gnutls_assert(); |
147 | 0 | gnutls_x509_crt_deinit(crt); |
148 | 0 | goto cleanup; |
149 | 0 | } |
150 | | |
151 | 0 | ret = gnutls_pcert_import_x509(ccert, crt, 0); |
152 | 0 | gnutls_x509_crt_deinit(crt); |
153 | |
|
154 | 0 | if (ret < 0) { |
155 | 0 | gnutls_assert(); |
156 | 0 | goto cleanup; |
157 | 0 | } |
158 | | |
159 | 0 | ret = |
160 | 0 | _gnutls_certificate_credential_append_keypair(res, key, names, |
161 | 0 | ccert, 1); |
162 | 0 | if (ret < 0) { |
163 | 0 | gnutls_assert(); |
164 | 0 | goto cleanup; |
165 | 0 | } |
166 | | |
167 | 0 | return ret; |
168 | | |
169 | 0 | cleanup: |
170 | 0 | _gnutls_str_array_clear(&names); |
171 | 0 | gnutls_free(ccert); |
172 | 0 | return ret; |
173 | 0 | } |
174 | | |
175 | | /* Reads a base64 encoded certificate list from memory and stores it to |
176 | | * a gnutls_cert structure. Returns the number of certificate parsed. |
177 | | */ |
178 | | static int |
179 | | parse_pem_cert_mem(gnutls_certificate_credentials_t res, |
180 | | gnutls_privkey_t key, |
181 | | const char *input_cert, int input_cert_size) |
182 | 0 | { |
183 | 0 | int size; |
184 | 0 | const char *ptr; |
185 | 0 | gnutls_datum_t tmp; |
186 | 0 | int ret, count, i; |
187 | 0 | unsigned ncerts = 0; |
188 | 0 | gnutls_pcert_st *pcerts = NULL; |
189 | 0 | gnutls_str_array_t names; |
190 | 0 | gnutls_x509_crt_t unsorted[DEFAULT_MAX_VERIFY_DEPTH]; |
191 | |
|
192 | 0 | _gnutls_str_array_init(&names); |
193 | | |
194 | | /* move to the certificate |
195 | | */ |
196 | 0 | ptr = memmem(input_cert, input_cert_size, |
197 | 0 | PEM_CERT_SEP, sizeof(PEM_CERT_SEP) - 1); |
198 | 0 | if (ptr == NULL) |
199 | 0 | ptr = memmem(input_cert, input_cert_size, |
200 | 0 | PEM_CERT_SEP2, sizeof(PEM_CERT_SEP2) - 1); |
201 | |
|
202 | 0 | if (ptr == NULL) { |
203 | 0 | gnutls_assert(); |
204 | 0 | return GNUTLS_E_BASE64_DECODING_ERROR; |
205 | 0 | } |
206 | 0 | size = input_cert_size - (ptr - input_cert); |
207 | |
|
208 | 0 | count = 0; |
209 | |
|
210 | 0 | do { |
211 | 0 | tmp.data = (void *)ptr; |
212 | 0 | tmp.size = size; |
213 | |
|
214 | 0 | ret = gnutls_x509_crt_init(&unsorted[count]); |
215 | 0 | if (ret < 0) { |
216 | 0 | gnutls_assert(); |
217 | 0 | goto cleanup; |
218 | 0 | } |
219 | | |
220 | 0 | ret = |
221 | 0 | gnutls_x509_crt_import(unsorted[count], &tmp, |
222 | 0 | GNUTLS_X509_FMT_PEM); |
223 | 0 | if (ret < 0) { |
224 | 0 | gnutls_assert(); |
225 | 0 | goto cleanup; |
226 | 0 | } |
227 | 0 | count++; |
228 | | |
229 | | /* now we move ptr after the pem header |
230 | | */ |
231 | 0 | ptr++; |
232 | 0 | size--; |
233 | | |
234 | | /* find the next certificate (if any) |
235 | | */ |
236 | |
|
237 | 0 | if (size > 0) { |
238 | 0 | char *ptr3; |
239 | |
|
240 | 0 | ptr3 = |
241 | 0 | memmem(ptr, size, PEM_CERT_SEP, |
242 | 0 | sizeof(PEM_CERT_SEP) - 1); |
243 | 0 | if (ptr3 == NULL) |
244 | 0 | ptr3 = memmem(ptr, size, PEM_CERT_SEP2, |
245 | 0 | sizeof(PEM_CERT_SEP2) - 1); |
246 | |
|
247 | 0 | ptr = ptr3; |
248 | 0 | size = input_cert_size - (ptr - input_cert); |
249 | 0 | } else |
250 | 0 | ptr = NULL; |
251 | |
|
252 | 0 | } |
253 | 0 | while (ptr != NULL && count < DEFAULT_MAX_VERIFY_DEPTH); |
254 | | |
255 | 0 | ret = _gnutls_get_x509_name(unsorted[0], &names); |
256 | 0 | if (ret < 0) { |
257 | 0 | gnutls_assert(); |
258 | 0 | goto cleanup; |
259 | 0 | } |
260 | | |
261 | 0 | pcerts = _gnutls_reallocarray(NULL, count, sizeof(gnutls_pcert_st)); |
262 | 0 | if (pcerts == NULL) { |
263 | 0 | gnutls_assert(); |
264 | 0 | return GNUTLS_E_MEMORY_ERROR; |
265 | 0 | } |
266 | | |
267 | 0 | ncerts = count; |
268 | 0 | ret = |
269 | 0 | gnutls_pcert_import_x509_list(pcerts, unsorted, &ncerts, |
270 | 0 | GNUTLS_X509_CRT_LIST_SORT); |
271 | 0 | if (ret < 0) { |
272 | 0 | gnutls_free(pcerts); |
273 | 0 | gnutls_assert(); |
274 | 0 | goto cleanup; |
275 | 0 | } |
276 | | |
277 | 0 | ret = |
278 | 0 | _gnutls_certificate_credential_append_keypair(res, key, names, |
279 | 0 | pcerts, ncerts); |
280 | 0 | if (ret < 0) { |
281 | 0 | gnutls_assert(); |
282 | 0 | goto cleanup; |
283 | 0 | } |
284 | | |
285 | 0 | for (i = 0; i < count; i++) |
286 | 0 | gnutls_x509_crt_deinit(unsorted[i]); |
287 | |
|
288 | 0 | return ncerts; |
289 | | |
290 | 0 | cleanup: |
291 | 0 | _gnutls_str_array_clear(&names); |
292 | 0 | for (i = 0; i < count; i++) |
293 | 0 | gnutls_x509_crt_deinit(unsorted[i]); |
294 | 0 | if (pcerts) { |
295 | 0 | for (i = 0; i < count; i++) |
296 | 0 | gnutls_pcert_deinit(&pcerts[i]); |
297 | 0 | gnutls_free(pcerts); |
298 | 0 | } |
299 | 0 | return ret; |
300 | 0 | } |
301 | | |
302 | | /* Reads a DER or PEM certificate from memory |
303 | | */ |
304 | | static int |
305 | | read_cert_mem(gnutls_certificate_credentials_t res, |
306 | | gnutls_privkey_t key, |
307 | | const void *cert, int cert_size, gnutls_x509_crt_fmt_t type) |
308 | 0 | { |
309 | 0 | int ret; |
310 | |
|
311 | 0 | if (type == GNUTLS_X509_FMT_DER) |
312 | 0 | ret = parse_der_cert_mem(res, key, cert, cert_size); |
313 | 0 | else |
314 | 0 | ret = parse_pem_cert_mem(res, key, cert, cert_size); |
315 | |
|
316 | 0 | if (ret < 0) { |
317 | 0 | gnutls_assert(); |
318 | 0 | return ret; |
319 | 0 | } |
320 | | |
321 | 0 | return ret; |
322 | 0 | } |
323 | | |
324 | | static int tmp_pin_cb(void *userdata, int attempt, const char *token_url, |
325 | | const char *token_label, unsigned int flags, |
326 | | char *pin, size_t pin_max) |
327 | 0 | { |
328 | 0 | const char *tmp_pin = userdata; |
329 | |
|
330 | 0 | if (attempt == 0) { |
331 | 0 | snprintf(pin, pin_max, "%s", tmp_pin); |
332 | 0 | return 0; |
333 | 0 | } |
334 | | |
335 | 0 | return -1; |
336 | 0 | } |
337 | | |
338 | | /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type |
339 | | * indicates the certificate format. |
340 | | * |
341 | | * It returns the private key read in @rkey. |
342 | | */ |
343 | | int |
344 | | _gnutls_read_key_mem(gnutls_certificate_credentials_t res, |
345 | | const void *key, int key_size, gnutls_x509_crt_fmt_t type, |
346 | | const char *pass, unsigned int flags, |
347 | | gnutls_privkey_t * rkey) |
348 | 0 | { |
349 | 0 | int ret; |
350 | 0 | gnutls_datum_t tmp; |
351 | 0 | gnutls_privkey_t privkey; |
352 | |
|
353 | 0 | if (key) { |
354 | 0 | tmp.data = (uint8_t *) key; |
355 | 0 | tmp.size = key_size; |
356 | |
|
357 | 0 | ret = gnutls_privkey_init(&privkey); |
358 | 0 | if (ret < 0) { |
359 | 0 | gnutls_assert(); |
360 | 0 | return ret; |
361 | 0 | } |
362 | | |
363 | 0 | if (res->pin.cb) { |
364 | 0 | gnutls_privkey_set_pin_function(privkey, |
365 | 0 | res->pin.cb, |
366 | 0 | res->pin.data); |
367 | 0 | } else if (pass != NULL) { |
368 | 0 | snprintf(res->pin_tmp, sizeof(res->pin_tmp), "%s", |
369 | 0 | pass); |
370 | 0 | gnutls_privkey_set_pin_function(privkey, |
371 | 0 | tmp_pin_cb, |
372 | 0 | res->pin_tmp); |
373 | 0 | } |
374 | |
|
375 | 0 | ret = |
376 | 0 | gnutls_privkey_import_x509_raw(privkey, &tmp, type, |
377 | 0 | pass, flags); |
378 | 0 | if (ret < 0) { |
379 | 0 | gnutls_assert(); |
380 | 0 | gnutls_privkey_deinit(privkey); |
381 | 0 | return ret; |
382 | 0 | } |
383 | | |
384 | 0 | *rkey = privkey; |
385 | 0 | } else { |
386 | 0 | gnutls_assert(); |
387 | 0 | return GNUTLS_E_INVALID_REQUEST; |
388 | 0 | } |
389 | | |
390 | 0 | return 0; |
391 | 0 | } |
392 | | |
393 | | /* Reads a private key from a token. |
394 | | */ |
395 | | static int |
396 | | read_key_url(gnutls_certificate_credentials_t res, const char *url, |
397 | | gnutls_privkey_t * rkey) |
398 | 0 | { |
399 | 0 | int ret; |
400 | 0 | gnutls_privkey_t pkey = NULL; |
401 | | |
402 | | /* allocate space for the pkey list |
403 | | */ |
404 | 0 | ret = gnutls_privkey_init(&pkey); |
405 | 0 | if (ret < 0) { |
406 | 0 | gnutls_assert(); |
407 | 0 | goto cleanup; |
408 | 0 | } |
409 | | |
410 | 0 | if (res->pin.cb) |
411 | 0 | gnutls_privkey_set_pin_function(pkey, res->pin.cb, |
412 | 0 | res->pin.data); |
413 | |
|
414 | 0 | ret = gnutls_privkey_import_url(pkey, url, 0); |
415 | 0 | if (ret < 0) { |
416 | 0 | gnutls_assert(); |
417 | 0 | goto cleanup; |
418 | 0 | } |
419 | | |
420 | 0 | *rkey = pkey; |
421 | |
|
422 | 0 | return 0; |
423 | | |
424 | 0 | cleanup: |
425 | 0 | if (pkey) |
426 | 0 | gnutls_privkey_deinit(pkey); |
427 | |
|
428 | 0 | return ret; |
429 | 0 | } |
430 | | |
431 | 0 | #define MAX_PKCS11_CERT_CHAIN 8 |
432 | | /* Reads a certificate key from a token. |
433 | | */ |
434 | | static int |
435 | | read_cert_url(gnutls_certificate_credentials_t res, gnutls_privkey_t key, |
436 | | const char *url) |
437 | 0 | { |
438 | 0 | int ret; |
439 | 0 | gnutls_x509_crt_t crt = NULL; |
440 | 0 | gnutls_pcert_st *ccert = NULL; |
441 | 0 | gnutls_str_array_t names; |
442 | 0 | gnutls_datum_t t = { NULL, 0 }; |
443 | 0 | unsigned i, count = 0; |
444 | |
|
445 | 0 | _gnutls_str_array_init(&names); |
446 | |
|
447 | 0 | ccert = _gnutls_reallocarray(NULL, MAX_PKCS11_CERT_CHAIN, |
448 | 0 | sizeof(*ccert)); |
449 | 0 | if (ccert == NULL) { |
450 | 0 | gnutls_assert(); |
451 | 0 | ret = GNUTLS_E_MEMORY_ERROR; |
452 | 0 | goto cleanup; |
453 | 0 | } |
454 | | |
455 | 0 | ret = gnutls_x509_crt_init(&crt); |
456 | 0 | if (ret < 0) { |
457 | 0 | gnutls_assert(); |
458 | 0 | goto cleanup; |
459 | 0 | } |
460 | | |
461 | 0 | if (res->pin.cb) |
462 | 0 | gnutls_x509_crt_set_pin_function(crt, res->pin.cb, |
463 | 0 | res->pin.data); |
464 | |
|
465 | 0 | ret = gnutls_x509_crt_import_url(crt, url, 0); |
466 | 0 | if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) |
467 | 0 | ret = |
468 | 0 | gnutls_x509_crt_import_url(crt, url, |
469 | 0 | GNUTLS_PKCS11_OBJ_FLAG_LOGIN); |
470 | 0 | if (ret < 0) { |
471 | 0 | gnutls_assert(); |
472 | 0 | goto cleanup; |
473 | 0 | } |
474 | | |
475 | 0 | ret = _gnutls_get_x509_name(crt, &names); |
476 | 0 | if (ret < 0) { |
477 | 0 | gnutls_assert(); |
478 | 0 | goto cleanup; |
479 | 0 | } |
480 | | |
481 | | /* Try to load the whole certificate chain from the PKCS #11 token */ |
482 | 0 | for (i = 0; i < MAX_PKCS11_CERT_CHAIN; i++) { |
483 | 0 | ret = gnutls_x509_crt_check_issuer(crt, crt); |
484 | 0 | if (i > 0 && ret != 0) { |
485 | | /* self signed */ |
486 | 0 | break; |
487 | 0 | } |
488 | | |
489 | 0 | ret = gnutls_pcert_import_x509(&ccert[i], crt, 0); |
490 | 0 | if (ret < 0) { |
491 | 0 | gnutls_assert(); |
492 | 0 | goto cleanup; |
493 | 0 | } |
494 | 0 | count++; |
495 | |
|
496 | 0 | ret = _gnutls_get_raw_issuer(url, crt, &t, 0); |
497 | 0 | if (ret < 0) |
498 | 0 | break; |
499 | | |
500 | 0 | gnutls_x509_crt_deinit(crt); |
501 | 0 | crt = NULL; |
502 | 0 | ret = gnutls_x509_crt_init(&crt); |
503 | 0 | if (ret < 0) { |
504 | 0 | gnutls_assert(); |
505 | 0 | goto cleanup; |
506 | 0 | } |
507 | | |
508 | 0 | ret = gnutls_x509_crt_import(crt, &t, GNUTLS_X509_FMT_DER); |
509 | 0 | if (ret < 0) { |
510 | 0 | gnutls_assert(); |
511 | 0 | goto cleanup; |
512 | 0 | } |
513 | 0 | gnutls_free(t.data); |
514 | 0 | } |
515 | | |
516 | 0 | ret = |
517 | 0 | _gnutls_certificate_credential_append_keypair(res, key, names, |
518 | 0 | ccert, count); |
519 | 0 | if (ret < 0) { |
520 | 0 | gnutls_assert(); |
521 | 0 | goto cleanup; |
522 | 0 | } |
523 | | |
524 | 0 | if (crt != NULL) |
525 | 0 | gnutls_x509_crt_deinit(crt); |
526 | |
|
527 | 0 | return 0; |
528 | 0 | cleanup: |
529 | 0 | if (crt != NULL) |
530 | 0 | gnutls_x509_crt_deinit(crt); |
531 | 0 | gnutls_free(t.data); |
532 | 0 | _gnutls_str_array_clear(&names); |
533 | 0 | gnutls_free(ccert); |
534 | 0 | return ret; |
535 | 0 | } |
536 | | |
537 | | /* Reads a certificate file |
538 | | */ |
539 | | static int |
540 | | read_cert_file(gnutls_certificate_credentials_t res, |
541 | | gnutls_privkey_t key, |
542 | | const char *certfile, gnutls_x509_crt_fmt_t type) |
543 | 0 | { |
544 | 0 | int ret; |
545 | 0 | size_t size; |
546 | 0 | char *data; |
547 | |
|
548 | 0 | if (gnutls_url_is_supported(certfile)) { |
549 | 0 | return read_cert_url(res, key, certfile); |
550 | 0 | } |
551 | | |
552 | 0 | data = read_file(certfile, RF_BINARY, &size); |
553 | |
|
554 | 0 | if (data == NULL) { |
555 | 0 | gnutls_assert(); |
556 | 0 | return GNUTLS_E_FILE_ERROR; |
557 | 0 | } |
558 | | |
559 | 0 | ret = read_cert_mem(res, key, data, size, type); |
560 | 0 | free(data); |
561 | |
|
562 | 0 | return ret; |
563 | |
|
564 | 0 | } |
565 | | |
566 | | /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl |
567 | | * stores it). |
568 | | */ |
569 | | int |
570 | | _gnutls_read_key_file(gnutls_certificate_credentials_t res, |
571 | | const char *keyfile, gnutls_x509_crt_fmt_t type, |
572 | | const char *pass, unsigned int flags, |
573 | | gnutls_privkey_t * rkey) |
574 | 0 | { |
575 | 0 | int ret; |
576 | 0 | size_t size; |
577 | 0 | char *data; |
578 | |
|
579 | 0 | if (_gnutls_url_is_known(keyfile)) { |
580 | 0 | if (gnutls_url_is_supported(keyfile)) { |
581 | | /* if no PIN function is specified, and we have a PIN, |
582 | | * specify one */ |
583 | 0 | if (pass != NULL && res->pin.cb == NULL) { |
584 | 0 | snprintf(res->pin_tmp, sizeof(res->pin_tmp), |
585 | 0 | "%s", pass); |
586 | 0 | gnutls_certificate_set_pin_function(res, |
587 | 0 | tmp_pin_cb, |
588 | 0 | res->pin_tmp); |
589 | 0 | } |
590 | |
|
591 | 0 | return read_key_url(res, keyfile, rkey); |
592 | 0 | } else |
593 | 0 | return |
594 | 0 | gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); |
595 | 0 | } |
596 | | |
597 | 0 | data = read_file(keyfile, RF_BINARY | RF_SENSITIVE, &size); |
598 | |
|
599 | 0 | if (data == NULL) { |
600 | 0 | gnutls_assert(); |
601 | 0 | return GNUTLS_E_FILE_ERROR; |
602 | 0 | } |
603 | | |
604 | 0 | ret = _gnutls_read_key_mem(res, data, size, type, pass, flags, rkey); |
605 | 0 | zeroize_key(data, size); |
606 | 0 | free(data); |
607 | |
|
608 | 0 | return ret; |
609 | 0 | } |
610 | | |
611 | | /** |
612 | | * gnutls_certificate_set_x509_key_mem: |
613 | | * @res: is a #gnutls_certificate_credentials_t type. |
614 | | * @cert: contains a certificate list (path) for the specified private key |
615 | | * @key: is the private key, or %NULL |
616 | | * @type: is PEM or DER |
617 | | * |
618 | | * This function sets a certificate/private key pair in the |
619 | | * gnutls_certificate_credentials_t type. This function may be called |
620 | | * more than once, in case multiple keys/certificates exist for the |
621 | | * server. |
622 | | * |
623 | | * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates |
624 | | * is supported. This means that certificates intended for signing cannot |
625 | | * be used for ciphersuites that require encryption. |
626 | | * |
627 | | * If the certificate and the private key are given in PEM encoding |
628 | | * then the strings that hold their values must be null terminated. |
629 | | * |
630 | | * The @key may be %NULL if you are using a sign callback, see |
631 | | * gnutls_sign_callback_set(). |
632 | | * |
633 | | * Note that, this function by default returns zero on success and a negative value on error. |
634 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
635 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
636 | | * |
637 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
638 | | * |
639 | | **/ |
640 | | int |
641 | | gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials_t res, |
642 | | const gnutls_datum_t * cert, |
643 | | const gnutls_datum_t * key, |
644 | | gnutls_x509_crt_fmt_t type) |
645 | 0 | { |
646 | 0 | return gnutls_certificate_set_x509_key_mem2(res, cert, key, type, |
647 | 0 | NULL, 0); |
648 | 0 | } |
649 | | |
650 | | /** |
651 | | * gnutls_certificate_set_x509_key_mem2: |
652 | | * @res: is a #gnutls_certificate_credentials_t type. |
653 | | * @cert: contains a certificate list (path) for the specified private key |
654 | | * @key: is the private key, or %NULL |
655 | | * @type: is PEM or DER |
656 | | * @pass: is the key's password |
657 | | * @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t |
658 | | * |
659 | | * This function sets a certificate/private key pair in the |
660 | | * gnutls_certificate_credentials_t type. This function may be called |
661 | | * more than once, in case multiple keys/certificates exist for the |
662 | | * server. |
663 | | * |
664 | | * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates |
665 | | * is supported. This means that certificates intended for signing cannot |
666 | | * be used for ciphersuites that require encryption. |
667 | | * |
668 | | * If the certificate and the private key are given in PEM encoding |
669 | | * then the strings that hold their values must be null terminated. |
670 | | * |
671 | | * The @key may be %NULL if you are using a sign callback, see |
672 | | * gnutls_sign_callback_set(). |
673 | | * |
674 | | * Note that, this function by default returns zero on success and a negative value on error. |
675 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
676 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
677 | | * |
678 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
679 | | **/ |
680 | | int |
681 | | gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t res, |
682 | | const gnutls_datum_t * cert, |
683 | | const gnutls_datum_t * key, |
684 | | gnutls_x509_crt_fmt_t type, |
685 | | const char *pass, unsigned int flags) |
686 | 0 | { |
687 | 0 | int ret; |
688 | 0 | gnutls_privkey_t rkey; |
689 | | |
690 | | /* this should be first |
691 | | */ |
692 | 0 | if ((ret = _gnutls_read_key_mem(res, key ? key->data : NULL, |
693 | 0 | key ? key->size : 0, type, pass, |
694 | 0 | flags, &rkey)) < 0) |
695 | 0 | return ret; |
696 | | |
697 | 0 | if ((ret = read_cert_mem(res, rkey, cert->data, cert->size, type)) < 0) { |
698 | 0 | gnutls_privkey_deinit(rkey); |
699 | 0 | return ret; |
700 | 0 | } |
701 | | |
702 | 0 | res->ncerts++; |
703 | |
|
704 | 0 | if (key && (ret = _gnutls_check_key_cert_match(res)) < 0) { |
705 | 0 | gnutls_assert(); |
706 | 0 | return ret; |
707 | 0 | } |
708 | | |
709 | 0 | CRED_RET_SUCCESS(res); |
710 | 0 | } |
711 | | |
712 | | /** |
713 | | * gnutls_certificate_set_x509_key: |
714 | | * @res: is a #gnutls_certificate_credentials_t type. |
715 | | * @cert_list: contains a certificate list (path) for the specified private key |
716 | | * @cert_list_size: holds the size of the certificate list |
717 | | * @key: is a #gnutls_x509_privkey_t key |
718 | | * |
719 | | * This function sets a certificate/private key pair in the |
720 | | * gnutls_certificate_credentials_t type. This function may be |
721 | | * called more than once, in case multiple keys/certificates exist for |
722 | | * the server. For clients that wants to send more than their own end |
723 | | * entity certificate (e.g., also an intermediate CA cert) then put |
724 | | * the certificate chain in @cert_list. |
725 | | * |
726 | | * Note that the certificates and keys provided, can be safely deinitialized |
727 | | * after this function is called. |
728 | | * |
729 | | * If that function fails to load the @res type is at an undefined state, it must |
730 | | * not be reused to load other keys or certificates. |
731 | | * |
732 | | * Note that, this function by default returns zero on success and a negative value on error. |
733 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
734 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
735 | | * |
736 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
737 | | * |
738 | | * Since: 2.4.0 |
739 | | **/ |
740 | | int |
741 | | gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, |
742 | | gnutls_x509_crt_t * cert_list, |
743 | | int cert_list_size, gnutls_x509_privkey_t key) |
744 | 0 | { |
745 | 0 | int ret; |
746 | 0 | int npcerts = 0; |
747 | 0 | gnutls_privkey_t pkey; |
748 | 0 | gnutls_pcert_st *pcerts = NULL; |
749 | 0 | gnutls_str_array_t names; |
750 | |
|
751 | 0 | if (cert_list == NULL || cert_list_size < 1) |
752 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
753 | | |
754 | 0 | _gnutls_str_array_init(&names); |
755 | | |
756 | | /* this should be first |
757 | | */ |
758 | 0 | ret = gnutls_privkey_init(&pkey); |
759 | 0 | if (ret < 0) { |
760 | 0 | gnutls_assert(); |
761 | 0 | return ret; |
762 | 0 | } |
763 | | |
764 | 0 | if (res->pin.cb) |
765 | 0 | gnutls_privkey_set_pin_function(pkey, res->pin.cb, |
766 | 0 | res->pin.data); |
767 | |
|
768 | 0 | ret = gnutls_privkey_import_x509(pkey, key, GNUTLS_PRIVKEY_IMPORT_COPY); |
769 | 0 | if (ret < 0) { |
770 | 0 | gnutls_assert(); |
771 | 0 | return ret; |
772 | 0 | } |
773 | | |
774 | | /* load certificates */ |
775 | 0 | pcerts = _gnutls_reallocarray(NULL, cert_list_size, |
776 | 0 | sizeof(gnutls_pcert_st)); |
777 | 0 | if (pcerts == NULL) { |
778 | 0 | gnutls_assert(); |
779 | 0 | return GNUTLS_E_MEMORY_ERROR; |
780 | 0 | } |
781 | | |
782 | 0 | ret = _gnutls_get_x509_name(cert_list[0], &names); |
783 | 0 | if (ret < 0) { |
784 | 0 | gnutls_assert(); |
785 | 0 | goto cleanup; |
786 | 0 | } |
787 | | |
788 | 0 | ret = |
789 | 0 | gnutls_pcert_import_x509_list(pcerts, cert_list, |
790 | 0 | (unsigned int *)&cert_list_size, |
791 | 0 | GNUTLS_X509_CRT_LIST_SORT); |
792 | 0 | if (ret < 0) { |
793 | 0 | gnutls_assert(); |
794 | 0 | goto cleanup; |
795 | 0 | } |
796 | 0 | npcerts = cert_list_size; |
797 | |
|
798 | 0 | ret = |
799 | 0 | _gnutls_certificate_credential_append_keypair(res, pkey, names, |
800 | 0 | pcerts, npcerts); |
801 | 0 | if (ret < 0) { |
802 | 0 | gnutls_assert(); |
803 | 0 | goto cleanup; |
804 | 0 | } |
805 | | |
806 | 0 | res->ncerts++; |
807 | | |
808 | | /* after this point we do not deinitialize anything on failure to avoid |
809 | | * double freeing. We intentionally keep everything as the credentials state |
810 | | * is documented to be on undefined state. */ |
811 | 0 | if ((ret = _gnutls_check_key_cert_match(res)) < 0) { |
812 | 0 | gnutls_assert(); |
813 | 0 | return ret; |
814 | 0 | } |
815 | | |
816 | 0 | CRED_RET_SUCCESS(res); |
817 | |
|
818 | 0 | cleanup: |
819 | 0 | while (npcerts-- > 0) |
820 | 0 | gnutls_pcert_deinit(&pcerts[npcerts]); |
821 | 0 | gnutls_free(pcerts); |
822 | 0 | _gnutls_str_array_clear(&names); |
823 | 0 | return ret; |
824 | 0 | } |
825 | | |
826 | | /** |
827 | | * gnutls_certificate_get_x509_key: |
828 | | * @res: is a #gnutls_certificate_credentials_t type. |
829 | | * @index: The index of the key to obtain. |
830 | | * @key: Location to store the key. |
831 | | * |
832 | | * Obtains a X.509 private key that has been stored in @res with one of |
833 | | * gnutls_certificate_set_x509_key(), gnutls_certificate_set_key(), |
834 | | * gnutls_certificate_set_x509_key_file(), |
835 | | * gnutls_certificate_set_x509_key_file2(), |
836 | | * gnutls_certificate_set_x509_key_mem(), or |
837 | | * gnutls_certificate_set_x509_key_mem2(). The returned key must be deallocated |
838 | | * with gnutls_x509_privkey_deinit() when no longer needed. |
839 | | * |
840 | | * The @index matches the return value of gnutls_certificate_set_x509_key() and friends |
841 | | * functions, when the %GNUTLS_CERTIFICATE_API_V2 flag is set. |
842 | | * |
843 | | * If there is no key with the given index, |
844 | | * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the key with the |
845 | | * given index is not a X.509 key, %GNUTLS_E_INVALID_REQUEST is returned. |
846 | | * |
847 | | * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code. |
848 | | * |
849 | | * Since: 3.4.0 |
850 | | */ |
851 | | int |
852 | | gnutls_certificate_get_x509_key(gnutls_certificate_credentials_t res, |
853 | | unsigned index, gnutls_x509_privkey_t * key) |
854 | 0 | { |
855 | 0 | if (index >= res->ncerts) { |
856 | 0 | gnutls_assert(); |
857 | 0 | return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; |
858 | 0 | } |
859 | | |
860 | 0 | return gnutls_privkey_export_x509(res->certs[index].pkey, key); |
861 | 0 | } |
862 | | |
863 | | /** |
864 | | * gnutls_certificate_get_x509_crt: |
865 | | * @res: is a #gnutls_certificate_credentials_t type. |
866 | | * @index: The index of the certificate list to obtain. |
867 | | * @crt_list: Where to store the certificate list. |
868 | | * @crt_list_size: Will hold the number of certificates. |
869 | | * |
870 | | * Obtains a X.509 certificate list that has been stored in @res with one of |
871 | | * gnutls_certificate_set_x509_key(), gnutls_certificate_set_key(), |
872 | | * gnutls_certificate_set_x509_key_file(), |
873 | | * gnutls_certificate_set_x509_key_file2(), |
874 | | * gnutls_certificate_set_x509_key_mem(), or |
875 | | * gnutls_certificate_set_x509_key_mem2(). Each certificate in the returned |
876 | | * certificate list must be deallocated with gnutls_x509_crt_deinit(), and the |
877 | | * list itself must be freed with gnutls_free(). |
878 | | * |
879 | | * The @index matches the return value of gnutls_certificate_set_x509_key() and friends |
880 | | * functions, when the %GNUTLS_CERTIFICATE_API_V2 flag is set. |
881 | | * |
882 | | * If there is no certificate with the given index, |
883 | | * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the certificate |
884 | | * with the given index is not a X.509 certificate, %GNUTLS_E_INVALID_REQUEST |
885 | | * is returned. The returned certificates must be deinitialized after |
886 | | * use, and the @crt_list pointer must be freed using gnutls_free(). |
887 | | * |
888 | | * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code. |
889 | | * |
890 | | * Since: 3.4.0 |
891 | | */ |
892 | | int |
893 | | gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res, |
894 | | unsigned index, |
895 | | gnutls_x509_crt_t ** crt_list, |
896 | | unsigned *crt_list_size) |
897 | 0 | { |
898 | 0 | int ret; |
899 | 0 | unsigned i; |
900 | |
|
901 | 0 | if (index >= res->ncerts) { |
902 | 0 | gnutls_assert(); |
903 | 0 | return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; |
904 | 0 | } |
905 | | |
906 | 0 | *crt_list_size = res->certs[index].cert_list_length; |
907 | 0 | *crt_list = _gnutls_reallocarray(NULL, |
908 | 0 | res->certs[index].cert_list_length, |
909 | 0 | sizeof(gnutls_x509_crt_t)); |
910 | 0 | if (*crt_list == NULL) { |
911 | 0 | gnutls_assert(); |
912 | 0 | return GNUTLS_E_MEMORY_ERROR; |
913 | 0 | } |
914 | | |
915 | 0 | for (i = 0; i < res->certs[index].cert_list_length; ++i) { |
916 | 0 | ret = |
917 | 0 | gnutls_pcert_export_x509(&res->certs[index].cert_list[i], |
918 | 0 | &(*crt_list)[i]); |
919 | 0 | if (ret < 0) { |
920 | 0 | while (i--) |
921 | 0 | gnutls_x509_crt_deinit((*crt_list)[i]); |
922 | 0 | gnutls_free(*crt_list); |
923 | |
|
924 | 0 | return gnutls_assert_val(ret); |
925 | 0 | } |
926 | 0 | } |
927 | | |
928 | 0 | return 0; |
929 | 0 | } |
930 | | |
931 | | /** |
932 | | * gnutls_certificate_set_trust_list: |
933 | | * @res: is a #gnutls_certificate_credentials_t type. |
934 | | * @tlist: is a #gnutls_x509_trust_list_t type |
935 | | * @flags: must be zero |
936 | | * |
937 | | * This function sets a trust list in the gnutls_certificate_credentials_t type. |
938 | | * |
939 | | * Note that the @tlist will become part of the credentials |
940 | | * structure and must not be deallocated. It will be automatically deallocated |
941 | | * when the @res structure is deinitialized. |
942 | | * |
943 | | * Since: 3.2.2 |
944 | | **/ |
945 | | void |
946 | | gnutls_certificate_set_trust_list(gnutls_certificate_credentials_t res, |
947 | | gnutls_x509_trust_list_t tlist, |
948 | | unsigned flags) |
949 | 0 | { |
950 | 0 | gnutls_x509_trust_list_deinit(res->tlist, 1); |
951 | |
|
952 | 0 | res->tlist = tlist; |
953 | 0 | } |
954 | | |
955 | | /** |
956 | | * gnutls_certificate_get_trust_list: |
957 | | * @res: is a #gnutls_certificate_credentials_t type. |
958 | | * @tlist: Location where to store the trust list. |
959 | | * |
960 | | * Obtains the list of trusted certificates stored in @res and writes a |
961 | | * pointer to it to the location @tlist. The pointer will point to memory |
962 | | * internal to @res, and must not be deinitialized. It will be automatically |
963 | | * deallocated when the @res structure is deinitialized. |
964 | | * |
965 | | * Since: 3.4.0 |
966 | | **/ |
967 | | void |
968 | | gnutls_certificate_get_trust_list(gnutls_certificate_credentials_t res, |
969 | | gnutls_x509_trust_list_t * tlist) |
970 | 0 | { |
971 | 0 | *tlist = res->tlist; |
972 | 0 | } |
973 | | |
974 | | /** |
975 | | * gnutls_certificate_set_x509_key_file: |
976 | | * @res: is a #gnutls_certificate_credentials_t type. |
977 | | * @certfile: is a file that containing the certificate list (path) for |
978 | | * the specified private key, in PKCS7 format, or a list of certificates |
979 | | * @keyfile: is a file that contains the private key |
980 | | * @type: is PEM or DER |
981 | | * |
982 | | * This function sets a certificate/private key pair in the |
983 | | * gnutls_certificate_credentials_t type. This function may be |
984 | | * called more than once, in case multiple keys/certificates exist for |
985 | | * the server. For clients that need to send more than its own end |
986 | | * entity certificate, e.g., also an intermediate CA cert, then the |
987 | | * @certfile must contain the ordered certificate chain. |
988 | | * |
989 | | * Note that the names in the certificate provided will be considered |
990 | | * when selecting the appropriate certificate to use (in case of multiple |
991 | | * certificate/key pairs). |
992 | | * |
993 | | * This function can also accept URLs at @keyfile and @certfile. In that case it |
994 | | * will use the private key and certificate indicated by the URLs. Note |
995 | | * that the supported URLs are the ones indicated by gnutls_url_is_supported(). |
996 | | * |
997 | | * In case the @certfile is provided as a PKCS #11 URL, then the certificate, and its |
998 | | * present issuers in the token are imported (i.e., forming the required trust chain). |
999 | | * |
1000 | | * If that function fails to load the @res structure is at an undefined state, it must |
1001 | | * not be reused to load other keys or certificates. |
1002 | | * |
1003 | | * Note that, this function by default returns zero on success and a negative value on error. |
1004 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
1005 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
1006 | | * |
1007 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
1008 | | * |
1009 | | * Since: 3.1.11 |
1010 | | **/ |
1011 | | int |
1012 | | gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials_t res, |
1013 | | const char *certfile, |
1014 | | const char *keyfile, |
1015 | | gnutls_x509_crt_fmt_t type) |
1016 | 0 | { |
1017 | 0 | return gnutls_certificate_set_x509_key_file2(res, certfile, |
1018 | 0 | keyfile, type, NULL, 0); |
1019 | 0 | } |
1020 | | |
1021 | | /** |
1022 | | * gnutls_certificate_set_x509_key_file2: |
1023 | | * @res: is a #gnutls_certificate_credentials_t type. |
1024 | | * @certfile: is a file that containing the certificate list (path) for |
1025 | | * the specified private key, in PKCS7 format, or a list of certificates |
1026 | | * @keyfile: is a file that contains the private key |
1027 | | * @type: is PEM or DER |
1028 | | * @pass: is the password of the key |
1029 | | * @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t |
1030 | | * |
1031 | | * This function sets a certificate/private key pair in the |
1032 | | * gnutls_certificate_credentials_t type. This function may be |
1033 | | * called more than once, in case multiple keys/certificates exist for |
1034 | | * the server. For clients that need to send more than its own end |
1035 | | * entity certificate, e.g., also an intermediate CA cert, then the |
1036 | | * @certfile must contain the ordered certificate chain. |
1037 | | * |
1038 | | * Note that the names in the certificate provided will be considered |
1039 | | * when selecting the appropriate certificate to use (in case of multiple |
1040 | | * certificate/key pairs). |
1041 | | * |
1042 | | * This function can also accept URLs at @keyfile and @certfile. In that case it |
1043 | | * will use the private key and certificate indicated by the URLs. Note |
1044 | | * that the supported URLs are the ones indicated by gnutls_url_is_supported(). |
1045 | | * Before GnuTLS 3.4.0 when a URL was specified, the @pass part was ignored and a |
1046 | | * PIN callback had to be registered, this is no longer the case in current releases. |
1047 | | * |
1048 | | * In case the @certfile is provided as a PKCS #11 URL, then the certificate, and its |
1049 | | * present issuers in the token are imported (i.e., forming the required trust chain). |
1050 | | * |
1051 | | * If that function fails to load the @res structure is at an undefined state, it must |
1052 | | * not be reused to load other keys or certificates. |
1053 | | * |
1054 | | * Note that, this function by default returns zero on success and a negative value on error. |
1055 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
1056 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
1057 | | * |
1058 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
1059 | | * |
1060 | | **/ |
1061 | | int |
1062 | | gnutls_certificate_set_x509_key_file2(gnutls_certificate_credentials_t res, |
1063 | | const char *certfile, |
1064 | | const char *keyfile, |
1065 | | gnutls_x509_crt_fmt_t type, |
1066 | | const char *pass, unsigned int flags) |
1067 | 0 | { |
1068 | 0 | int ret; |
1069 | 0 | gnutls_privkey_t rkey; |
1070 | | |
1071 | | /* this should be first |
1072 | | */ |
1073 | 0 | if ((ret = |
1074 | 0 | _gnutls_read_key_file(res, keyfile, type, pass, flags, &rkey)) < 0) |
1075 | 0 | return ret; |
1076 | | |
1077 | 0 | if ((ret = read_cert_file(res, rkey, certfile, type)) < 0) { |
1078 | 0 | gnutls_privkey_deinit(rkey); |
1079 | 0 | return ret; |
1080 | 0 | } |
1081 | | |
1082 | 0 | res->ncerts++; |
1083 | |
|
1084 | 0 | if ((ret = _gnutls_check_key_cert_match(res)) < 0) { |
1085 | 0 | gnutls_assert(); |
1086 | 0 | return ret; |
1087 | 0 | } |
1088 | | |
1089 | 0 | CRED_RET_SUCCESS(res); |
1090 | 0 | } |
1091 | | |
1092 | | /** |
1093 | | * gnutls_certificate_set_x509_trust_mem: |
1094 | | * @res: is a #gnutls_certificate_credentials_t type. |
1095 | | * @ca: is a list of trusted CAs or a DER certificate |
1096 | | * @type: is DER or PEM |
1097 | | * |
1098 | | * This function adds the trusted CAs in order to verify client or |
1099 | | * server certificates. In case of a client this is not required to be |
1100 | | * called if the certificates are not verified using |
1101 | | * gnutls_certificate_verify_peers2(). This function may be called |
1102 | | * multiple times. |
1103 | | * |
1104 | | * In case of a server the CAs set here will be sent to the client if |
1105 | | * a certificate request is sent. This can be disabled using |
1106 | | * gnutls_certificate_send_x509_rdn_sequence(). |
1107 | | * |
1108 | | * Returns: the number of certificates processed or a negative error code |
1109 | | * on error. |
1110 | | **/ |
1111 | | int |
1112 | | gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials_t res, |
1113 | | const gnutls_datum_t * ca, |
1114 | | gnutls_x509_crt_fmt_t type) |
1115 | 0 | { |
1116 | 0 | int ret; |
1117 | |
|
1118 | 0 | ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, ca, NULL, |
1119 | 0 | type, GNUTLS_TL_USE_IN_TLS, |
1120 | 0 | 0); |
1121 | 0 | if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) |
1122 | 0 | return 0; |
1123 | | |
1124 | 0 | return ret; |
1125 | 0 | } |
1126 | | |
1127 | | /** |
1128 | | * gnutls_certificate_set_x509_trust: |
1129 | | * @res: is a #gnutls_certificate_credentials_t type. |
1130 | | * @ca_list: is a list of trusted CAs |
1131 | | * @ca_list_size: holds the size of the CA list |
1132 | | * |
1133 | | * This function adds the trusted CAs in order to verify client |
1134 | | * or server certificates. In case of a client this is not required |
1135 | | * to be called if the certificates are not verified using |
1136 | | * gnutls_certificate_verify_peers2(). |
1137 | | * This function may be called multiple times. |
1138 | | * |
1139 | | * In case of a server the CAs set here will be sent to the client if |
1140 | | * a certificate request is sent. This can be disabled using |
1141 | | * gnutls_certificate_send_x509_rdn_sequence(). |
1142 | | * |
1143 | | * Returns: the number of certificates processed or a negative error code |
1144 | | * on error. |
1145 | | * |
1146 | | * Since: 2.4.0 |
1147 | | **/ |
1148 | | int |
1149 | | gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, |
1150 | | gnutls_x509_crt_t * ca_list, int ca_list_size) |
1151 | 0 | { |
1152 | 0 | int ret, i, j; |
1153 | 0 | gnutls_x509_crt_t *new_list; |
1154 | |
|
1155 | 0 | if (ca_list == NULL || ca_list_size < 1) |
1156 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1157 | | |
1158 | 0 | new_list = _gnutls_reallocarray(NULL, ca_list_size, |
1159 | 0 | sizeof(gnutls_x509_crt_t)); |
1160 | 0 | if (!new_list) |
1161 | 0 | return GNUTLS_E_MEMORY_ERROR; |
1162 | | |
1163 | 0 | for (i = 0; i < ca_list_size; i++) { |
1164 | 0 | ret = gnutls_x509_crt_init(&new_list[i]); |
1165 | 0 | if (ret < 0) { |
1166 | 0 | gnutls_assert(); |
1167 | 0 | goto cleanup; |
1168 | 0 | } |
1169 | | |
1170 | 0 | ret = _gnutls_x509_crt_cpy(new_list[i], ca_list[i]); |
1171 | 0 | if (ret < 0) { |
1172 | 0 | gnutls_assert(); |
1173 | 0 | goto cleanup; |
1174 | 0 | } |
1175 | 0 | } |
1176 | | |
1177 | 0 | ret = |
1178 | 0 | gnutls_x509_trust_list_add_cas(res->tlist, new_list, |
1179 | 0 | ca_list_size, GNUTLS_TL_USE_IN_TLS); |
1180 | 0 | if (ret < 0) { |
1181 | 0 | gnutls_assert(); |
1182 | 0 | goto cleanup; |
1183 | 0 | } |
1184 | | |
1185 | 0 | gnutls_free(new_list); |
1186 | 0 | return ret; |
1187 | | |
1188 | 0 | cleanup: |
1189 | 0 | for (j = 0; j < i; j++) |
1190 | 0 | gnutls_x509_crt_deinit(new_list[j]); |
1191 | 0 | gnutls_free(new_list); |
1192 | |
|
1193 | 0 | return ret; |
1194 | 0 | } |
1195 | | |
1196 | | /** |
1197 | | * gnutls_certificate_set_x509_trust_file: |
1198 | | * @cred: is a #gnutls_certificate_credentials_t type. |
1199 | | * @cafile: is a file containing the list of trusted CAs (DER or PEM list) |
1200 | | * @type: is PEM or DER |
1201 | | * |
1202 | | * This function adds the trusted CAs in order to verify client or |
1203 | | * server certificates. In case of a client this is not required to |
1204 | | * be called if the certificates are not verified using |
1205 | | * gnutls_certificate_verify_peers2(). This function may be called |
1206 | | * multiple times. |
1207 | | * |
1208 | | * In case of a server the names of the CAs set here will be sent to |
1209 | | * the client if a certificate request is sent. This can be disabled |
1210 | | * using gnutls_certificate_send_x509_rdn_sequence(). |
1211 | | * |
1212 | | * This function can also accept URLs. In that case it |
1213 | | * will import all certificates that are marked as trusted. Note |
1214 | | * that the supported URLs are the ones indicated by gnutls_url_is_supported(). |
1215 | | * |
1216 | | * Returns: the number of certificates processed |
1217 | | **/ |
1218 | | int |
1219 | | gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t |
1220 | | cred, const char *cafile, |
1221 | | gnutls_x509_crt_fmt_t type) |
1222 | 0 | { |
1223 | 0 | int ret; |
1224 | |
|
1225 | 0 | ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL, |
1226 | 0 | type, GNUTLS_TL_USE_IN_TLS, |
1227 | 0 | 0); |
1228 | 0 | if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) |
1229 | 0 | return 0; |
1230 | | |
1231 | 0 | return ret; |
1232 | 0 | } |
1233 | | |
1234 | | /** |
1235 | | * gnutls_certificate_set_x509_trust_dir: |
1236 | | * @cred: is a #gnutls_certificate_credentials_t type. |
1237 | | * @ca_dir: is a directory containing the list of trusted CAs (DER or PEM list) |
1238 | | * @type: is PEM or DER |
1239 | | * |
1240 | | * This function adds the trusted CAs present in the directory in order to |
1241 | | * verify client or server certificates. This function is identical |
1242 | | * to gnutls_certificate_set_x509_trust_file() but loads all certificates |
1243 | | * in a directory. |
1244 | | * |
1245 | | * Returns: the number of certificates processed |
1246 | | * |
1247 | | * Since: 3.3.6 |
1248 | | * |
1249 | | **/ |
1250 | | int |
1251 | | gnutls_certificate_set_x509_trust_dir(gnutls_certificate_credentials_t cred, |
1252 | | const char *ca_dir, |
1253 | | gnutls_x509_crt_fmt_t type) |
1254 | 0 | { |
1255 | 0 | int ret; |
1256 | |
|
1257 | 0 | ret = gnutls_x509_trust_list_add_trust_dir(cred->tlist, ca_dir, NULL, |
1258 | 0 | type, GNUTLS_TL_USE_IN_TLS, |
1259 | 0 | 0); |
1260 | 0 | if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) |
1261 | 0 | return 0; |
1262 | | |
1263 | 0 | return ret; |
1264 | 0 | } |
1265 | | |
1266 | | /** |
1267 | | * gnutls_certificate_set_x509_system_trust: |
1268 | | * @cred: is a #gnutls_certificate_credentials_t type. |
1269 | | * |
1270 | | * This function adds the system's default trusted CAs in order to |
1271 | | * verify client or server certificates. |
1272 | | * |
1273 | | * In the case the system is currently unsupported %GNUTLS_E_UNIMPLEMENTED_FEATURE |
1274 | | * is returned. |
1275 | | * |
1276 | | * Returns: the number of certificates processed or a negative error code |
1277 | | * on error. |
1278 | | * |
1279 | | * Since: 3.0.20 |
1280 | | **/ |
1281 | | int |
1282 | | gnutls_certificate_set_x509_system_trust(gnutls_certificate_credentials_t cred) |
1283 | 0 | { |
1284 | 0 | return gnutls_x509_trust_list_add_system_trust(cred->tlist, |
1285 | 0 | GNUTLS_TL_USE_IN_TLS, 0); |
1286 | 0 | } |
1287 | | |
1288 | | /** |
1289 | | * gnutls_certificate_set_x509_crl_mem: |
1290 | | * @res: is a #gnutls_certificate_credentials_t type. |
1291 | | * @CRL: is a list of trusted CRLs. They should have been verified before. |
1292 | | * @type: is DER or PEM |
1293 | | * |
1294 | | * This function adds the trusted CRLs in order to verify client or |
1295 | | * server certificates. In case of a client this is not required to |
1296 | | * be called if the certificates are not verified using |
1297 | | * gnutls_certificate_verify_peers2(). This function may be called |
1298 | | * multiple times. |
1299 | | * |
1300 | | * Returns: number of CRLs processed, or a negative error code on error. |
1301 | | **/ |
1302 | | int |
1303 | | gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t res, |
1304 | | const gnutls_datum_t * CRL, |
1305 | | gnutls_x509_crt_fmt_t type) |
1306 | 0 | { |
1307 | 0 | unsigned flags = GNUTLS_TL_USE_IN_TLS; |
1308 | 0 | int ret; |
1309 | |
|
1310 | 0 | if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) |
1311 | 0 | flags |= GNUTLS_TL_VERIFY_CRL | GNUTLS_TL_FAIL_ON_INVALID_CRL; |
1312 | |
|
1313 | 0 | ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL, |
1314 | 0 | type, flags, 0); |
1315 | 0 | if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) |
1316 | 0 | return 0; |
1317 | | |
1318 | 0 | return ret; |
1319 | 0 | } |
1320 | | |
1321 | | /** |
1322 | | * gnutls_certificate_set_x509_crl: |
1323 | | * @res: is a #gnutls_certificate_credentials_t type. |
1324 | | * @crl_list: is a list of trusted CRLs. They should have been verified before. |
1325 | | * @crl_list_size: holds the size of the crl_list |
1326 | | * |
1327 | | * This function adds the trusted CRLs in order to verify client or |
1328 | | * server certificates. In case of a client this is not required to |
1329 | | * be called if the certificates are not verified using |
1330 | | * gnutls_certificate_verify_peers2(). This function may be called |
1331 | | * multiple times. |
1332 | | * |
1333 | | * Returns: number of CRLs processed, or a negative error code on error. |
1334 | | * |
1335 | | * Since: 2.4.0 |
1336 | | **/ |
1337 | | int |
1338 | | gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, |
1339 | | gnutls_x509_crl_t * crl_list, int crl_list_size) |
1340 | 0 | { |
1341 | 0 | int ret, i, j; |
1342 | 0 | gnutls_x509_crl_t *new_crl; |
1343 | 0 | unsigned flags; |
1344 | |
|
1345 | 0 | flags = GNUTLS_TL_USE_IN_TLS; |
1346 | 0 | if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) |
1347 | 0 | flags |= GNUTLS_TL_VERIFY_CRL | GNUTLS_TL_FAIL_ON_INVALID_CRL; |
1348 | |
|
1349 | 0 | new_crl = _gnutls_reallocarray(NULL, crl_list_size, |
1350 | 0 | sizeof(gnutls_x509_crl_t)); |
1351 | 0 | if (!new_crl) |
1352 | 0 | return GNUTLS_E_MEMORY_ERROR; |
1353 | | |
1354 | 0 | for (i = 0; i < crl_list_size; i++) { |
1355 | 0 | ret = gnutls_x509_crl_init(&new_crl[i]); |
1356 | 0 | if (ret < 0) { |
1357 | 0 | gnutls_assert(); |
1358 | 0 | goto cleanup; |
1359 | 0 | } |
1360 | | |
1361 | 0 | ret = _gnutls_x509_crl_cpy(new_crl[i], crl_list[i]); |
1362 | 0 | if (ret < 0) { |
1363 | 0 | gnutls_assert(); |
1364 | 0 | goto cleanup; |
1365 | 0 | } |
1366 | 0 | } |
1367 | | |
1368 | 0 | ret = |
1369 | 0 | gnutls_x509_trust_list_add_crls(res->tlist, new_crl, |
1370 | 0 | crl_list_size, flags, 0); |
1371 | 0 | if (ret < 0) { |
1372 | 0 | gnutls_assert(); |
1373 | 0 | goto cleanup; |
1374 | 0 | } |
1375 | | |
1376 | 0 | free(new_crl); |
1377 | 0 | return ret; |
1378 | | |
1379 | 0 | cleanup: |
1380 | 0 | for (j = 0; j < i; j++) |
1381 | 0 | gnutls_x509_crl_deinit(new_crl[j]); |
1382 | 0 | free(new_crl); |
1383 | |
|
1384 | 0 | return ret; |
1385 | 0 | } |
1386 | | |
1387 | | /** |
1388 | | * gnutls_certificate_set_x509_crl_file: |
1389 | | * @res: is a #gnutls_certificate_credentials_t type. |
1390 | | * @crlfile: is a file containing the list of verified CRLs (DER or PEM list) |
1391 | | * @type: is PEM or DER |
1392 | | * |
1393 | | * This function adds the trusted CRLs in order to verify client or server |
1394 | | * certificates. In case of a client this is not required |
1395 | | * to be called if the certificates are not verified using |
1396 | | * gnutls_certificate_verify_peers2(). |
1397 | | * This function may be called multiple times. |
1398 | | * |
1399 | | * Returns: number of CRLs processed or a negative error code on error. |
1400 | | **/ |
1401 | | int |
1402 | | gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t res, |
1403 | | const char *crlfile, |
1404 | | gnutls_x509_crt_fmt_t type) |
1405 | 0 | { |
1406 | 0 | int ret; |
1407 | 0 | unsigned flags = GNUTLS_TL_USE_IN_TLS; |
1408 | |
|
1409 | 0 | if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) |
1410 | 0 | flags |= GNUTLS_TL_VERIFY_CRL | GNUTLS_TL_FAIL_ON_INVALID_CRL; |
1411 | |
|
1412 | 0 | ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile, |
1413 | 0 | type, flags, 0); |
1414 | 0 | if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) |
1415 | 0 | return 0; |
1416 | | |
1417 | 0 | return ret; |
1418 | 0 | } |
1419 | | |
1420 | | #include <gnutls/pkcs12.h> |
1421 | | |
1422 | | /** |
1423 | | * gnutls_certificate_set_x509_simple_pkcs12_file: |
1424 | | * @res: is a #gnutls_certificate_credentials_t type. |
1425 | | * @pkcs12file: filename of file containing PKCS#12 blob. |
1426 | | * @type: is PEM or DER of the @pkcs12file. |
1427 | | * @password: optional password used to decrypt PKCS#12 file, bags and keys. |
1428 | | * |
1429 | | * This function sets a certificate/private key pair and/or a CRL in |
1430 | | * the gnutls_certificate_credentials_t type. This function may |
1431 | | * be called more than once (in case multiple keys/certificates exist |
1432 | | * for the server). |
1433 | | * |
1434 | | * PKCS#12 files with a MAC, encrypted bags and PKCS #8 |
1435 | | * private keys are supported. However, |
1436 | | * only password based security, and the same password for all |
1437 | | * operations, are supported. |
1438 | | * |
1439 | | * PKCS#12 file may contain many keys and/or certificates, and this |
1440 | | * function will try to auto-detect based on the key ID the certificate |
1441 | | * and key pair to use. If the PKCS#12 file contain the issuer of |
1442 | | * the selected certificate, it will be appended to the certificate |
1443 | | * to form a chain. |
1444 | | * |
1445 | | * If more than one private keys are stored in the PKCS#12 file, |
1446 | | * then only one key will be read (and it is undefined which one). |
1447 | | * |
1448 | | * It is believed that the limitations of this function is acceptable |
1449 | | * for most usage, and that any more flexibility would introduce |
1450 | | * complexity that would make it harder to use this functionality at |
1451 | | * all. |
1452 | | * |
1453 | | * Note that, this function by default returns zero on success and a negative value on error. |
1454 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
1455 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
1456 | | * |
1457 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
1458 | | * |
1459 | | **/ |
1460 | | int |
1461 | | gnutls_certificate_set_x509_simple_pkcs12_file |
1462 | | (gnutls_certificate_credentials_t res, const char *pkcs12file, |
1463 | 0 | gnutls_x509_crt_fmt_t type, const char *password) { |
1464 | 0 | gnutls_datum_t p12blob; |
1465 | 0 | size_t size; |
1466 | 0 | int ret; |
1467 | |
|
1468 | 0 | p12blob.data = (void *)read_file(pkcs12file, RF_BINARY | RF_SENSITIVE, |
1469 | 0 | &size); |
1470 | 0 | p12blob.size = (unsigned int)size; |
1471 | 0 | if (p12blob.data == NULL) { |
1472 | 0 | gnutls_assert(); |
1473 | 0 | return GNUTLS_E_FILE_ERROR; |
1474 | 0 | } |
1475 | | |
1476 | 0 | ret = |
1477 | 0 | gnutls_certificate_set_x509_simple_pkcs12_mem(res, &p12blob, |
1478 | 0 | type, password); |
1479 | 0 | zeroize_key(p12blob.data, p12blob.size); |
1480 | 0 | free(p12blob.data); |
1481 | 0 | p12blob.size = 0; |
1482 | |
|
1483 | 0 | return ret; |
1484 | 0 | } |
1485 | | |
1486 | | /** |
1487 | | * gnutls_certificate_set_x509_simple_pkcs12_mem: |
1488 | | * @res: is a #gnutls_certificate_credentials_t type. |
1489 | | * @p12blob: the PKCS#12 blob. |
1490 | | * @type: is PEM or DER of the @pkcs12file. |
1491 | | * @password: optional password used to decrypt PKCS#12 file, bags and keys. |
1492 | | * |
1493 | | * This function sets a certificate/private key pair and/or a CRL in |
1494 | | * the gnutls_certificate_credentials_t type. This function may |
1495 | | * be called more than once (in case multiple keys/certificates exist |
1496 | | * for the server). |
1497 | | * |
1498 | | * Encrypted PKCS#12 bags and PKCS#8 private keys are supported. However, |
1499 | | * only password based security, and the same password for all |
1500 | | * operations, are supported. |
1501 | | * |
1502 | | * PKCS#12 file may contain many keys and/or certificates, and this |
1503 | | * function will try to auto-detect based on the key ID the certificate |
1504 | | * and key pair to use. If the PKCS#12 file contain the issuer of |
1505 | | * the selected certificate, it will be appended to the certificate |
1506 | | * to form a chain. |
1507 | | * |
1508 | | * If more than one private keys are stored in the PKCS#12 file, |
1509 | | * then only one key will be read (and it is undefined which one). |
1510 | | * |
1511 | | * It is believed that the limitations of this function is acceptable |
1512 | | * for most usage, and that any more flexibility would introduce |
1513 | | * complexity that would make it harder to use this functionality at |
1514 | | * all. |
1515 | | * |
1516 | | * Note that, this function by default returns zero on success and a negative value on error. |
1517 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
1518 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
1519 | | * |
1520 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
1521 | | * |
1522 | | * Since: 2.8.0 |
1523 | | **/ |
1524 | | int |
1525 | | gnutls_certificate_set_x509_simple_pkcs12_mem |
1526 | | (gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob, |
1527 | 0 | gnutls_x509_crt_fmt_t type, const char *password) { |
1528 | 0 | gnutls_pkcs12_t p12; |
1529 | 0 | gnutls_x509_privkey_t key = NULL; |
1530 | 0 | gnutls_x509_crt_t *chain = NULL; |
1531 | 0 | gnutls_x509_crl_t crl = NULL; |
1532 | 0 | unsigned int chain_size = 0, i; |
1533 | 0 | int ret, idx; |
1534 | |
|
1535 | 0 | ret = gnutls_pkcs12_init(&p12); |
1536 | 0 | if (ret < 0) { |
1537 | 0 | gnutls_assert(); |
1538 | 0 | return ret; |
1539 | 0 | } |
1540 | | |
1541 | 0 | ret = gnutls_pkcs12_import(p12, p12blob, type, 0); |
1542 | 0 | if (ret < 0) { |
1543 | 0 | gnutls_assert(); |
1544 | 0 | gnutls_pkcs12_deinit(p12); |
1545 | 0 | return ret; |
1546 | 0 | } |
1547 | | |
1548 | 0 | if (password) { |
1549 | 0 | ret = gnutls_pkcs12_verify_mac(p12, password); |
1550 | 0 | if (ret < 0) { |
1551 | 0 | gnutls_assert(); |
1552 | 0 | gnutls_pkcs12_deinit(p12); |
1553 | 0 | return ret; |
1554 | 0 | } |
1555 | 0 | } |
1556 | | |
1557 | 0 | ret = |
1558 | 0 | gnutls_pkcs12_simple_parse(p12, password, &key, &chain, |
1559 | 0 | &chain_size, NULL, NULL, &crl, 0); |
1560 | 0 | gnutls_pkcs12_deinit(p12); |
1561 | 0 | if (ret < 0) { |
1562 | 0 | gnutls_assert(); |
1563 | 0 | return ret; |
1564 | 0 | } |
1565 | | |
1566 | 0 | if (key && chain) { |
1567 | 0 | ret = |
1568 | 0 | gnutls_certificate_set_x509_key(res, chain, chain_size, |
1569 | 0 | key); |
1570 | 0 | if (ret < 0) { |
1571 | 0 | gnutls_assert(); |
1572 | 0 | goto done; |
1573 | 0 | } |
1574 | | |
1575 | 0 | idx = ret; |
1576 | 0 | } else { |
1577 | 0 | gnutls_assert(); |
1578 | 0 | ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; |
1579 | 0 | goto done; |
1580 | 0 | } |
1581 | | |
1582 | 0 | if (crl) { |
1583 | 0 | ret = gnutls_certificate_set_x509_crl(res, &crl, 1); |
1584 | 0 | if (ret < 0) { |
1585 | 0 | gnutls_assert(); |
1586 | 0 | goto done; |
1587 | 0 | } |
1588 | 0 | } |
1589 | | |
1590 | 0 | if (res->flags & GNUTLS_CERTIFICATE_API_V2) |
1591 | 0 | ret = idx; |
1592 | 0 | else |
1593 | 0 | ret = 0; |
1594 | |
|
1595 | 0 | done: |
1596 | 0 | if (chain) { |
1597 | 0 | for (i = 0; i < chain_size; i++) |
1598 | 0 | gnutls_x509_crt_deinit(chain[i]); |
1599 | 0 | gnutls_free(chain); |
1600 | 0 | } |
1601 | 0 | if (key) |
1602 | 0 | gnutls_x509_privkey_deinit(key); |
1603 | 0 | if (crl) |
1604 | 0 | gnutls_x509_crl_deinit(crl); |
1605 | |
|
1606 | 0 | return ret; |
1607 | 0 | } |
1608 | | |
1609 | | /** |
1610 | | * gnutls_certificate_free_crls: |
1611 | | * @sc: is a #gnutls_certificate_credentials_t type. |
1612 | | * |
1613 | | * This function will delete all the CRLs associated |
1614 | | * with the given credentials. |
1615 | | **/ |
1616 | | void gnutls_certificate_free_crls(gnutls_certificate_credentials_t sc) |
1617 | 0 | { |
1618 | | /* do nothing for now */ |
1619 | 0 | return; |
1620 | 0 | } |
1621 | | |
1622 | | /** |
1623 | | * gnutls_certificate_credentials_t: |
1624 | | * @cred: is a #gnutls_certificate_credentials_t type. |
1625 | | * @fn: A PIN callback |
1626 | | * @userdata: Data to be passed in the callback |
1627 | | * |
1628 | | * This function will set a callback function to be used when |
1629 | | * required to access a protected object. This function overrides any other |
1630 | | * global PIN functions. |
1631 | | * |
1632 | | * Note that this function must be called right after initialization |
1633 | | * to have effect. |
1634 | | * |
1635 | | * Since: 3.1.0 |
1636 | | **/ |
1637 | | void gnutls_certificate_set_pin_function(gnutls_certificate_credentials_t |
1638 | | cred, gnutls_pin_callback_t fn, |
1639 | | void *userdata) |
1640 | 0 | { |
1641 | 0 | cred->pin.cb = fn; |
1642 | 0 | cred->pin.data = userdata; |
1643 | 0 | } |