/src/gnutls/lib/auth/cert.h
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2002-2012 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2016-2019 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GnuTLS. |
8 | | * |
9 | | * The GnuTLS is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | #ifndef GNUTLS_LIB_AUTH_CERT_H |
25 | | # define GNUTLS_LIB_AUTH_CERT_H |
26 | | |
27 | | # include "auth.h" |
28 | | # include <auth/dh_common.h> |
29 | | # include <x509/x509_int.h> |
30 | | # include <gnutls/abstract.h> |
31 | | # include <gnutls/compat.h> |
32 | | # include <str_array.h> |
33 | | # include "abstract_int.h" |
34 | | |
35 | | # define MAX_OCSP_RESPONSES 8 |
36 | | |
37 | | /* We use the structure below to hold a certificate chain |
38 | | * with corresponding public/private key pair. This structure will |
39 | | * also be used when raw public keys are used. The cert_list will |
40 | | * then not hold the cert chain but only a raw public-key. In that case |
41 | | * the list length is always 1. |
42 | | */ |
43 | | typedef struct { |
44 | | gnutls_pcert_st *cert_list; /* a certificate chain */ |
45 | | unsigned int cert_list_length; /* its length */ |
46 | | gnutls_str_array_t names; /* the names in the first certificate */ |
47 | | |
48 | | gnutls_status_request_ocsp_func ocsp_func; |
49 | | void *ocsp_func_ptr; /* corresponding OCSP response function + ptr */ |
50 | | |
51 | | gnutls_ocsp_data_st ocsp_data[MAX_OCSP_RESPONSES]; |
52 | | unsigned int ocsp_data_length; |
53 | | |
54 | | /* the private key corresponding to certificate */ |
55 | | gnutls_privkey_t pkey; |
56 | | } certs_st; |
57 | | |
58 | | /* This structure may be complex, but it's the only way to |
59 | | * support a server that has multiple certificates |
60 | | */ |
61 | | typedef struct gnutls_certificate_credentials_st { |
62 | | gnutls_dh_params_t dh_params; |
63 | | unsigned deinit_dh_params; /* if the internal values are set */ |
64 | | gnutls_sec_param_t dh_sec_param; /* used in RFC7919 negotiation */ |
65 | | |
66 | | /* this callback is used to retrieve the DH or RSA |
67 | | * parameters. |
68 | | */ |
69 | | gnutls_params_function *params_func; |
70 | | |
71 | | certs_st *certs; |
72 | | unsigned ncerts; /* the number of certs */ |
73 | | |
74 | | /* contains sorted index values for certs. Sorted in a way |
75 | | * that RSA-PSS keys always take precedence over plain RSA keys |
76 | | * to ensure that we use only RSA-PSS keys if present for RSA-PSS |
77 | | * operations. We keep indexes to certs structures above. |
78 | | */ |
79 | | unsigned int *sorted_cert_idx; |
80 | | |
81 | | /* X509 specific stuff */ |
82 | | gnutls_x509_trust_list_t tlist; |
83 | | unsigned flags; /* gnutls_certificate_flags */ |
84 | | unsigned int verify_flags; /* flags to be used at |
85 | | * certificate verification. |
86 | | */ |
87 | | unsigned int verify_depth; |
88 | | unsigned int verify_bits; |
89 | | |
90 | | /* It's a mess here. However we need to keep the old 3 functions |
91 | | * for compatibility */ |
92 | | gnutls_certificate_retrieve_function *legacy_cert_cb1; /* deprecated */ |
93 | | gnutls_certificate_retrieve_function2 *legacy_cert_cb2; |
94 | | gnutls_certificate_retrieve_function3 *get_cert_callback3; |
95 | | |
96 | | gnutls_certificate_verify_function *verify_callback; |
97 | | |
98 | | struct pin_info_st pin; |
99 | | /* temporarily hold the PIN if set_key_file2() is used with a PIN */ |
100 | | char pin_tmp[GNUTLS_PKCS11_MAX_PIN_LEN]; |
101 | | |
102 | | /* OCSP */ |
103 | | gnutls_status_request_ocsp_func glob_ocsp_func; |
104 | | void *glob_ocsp_func_ptr; /* corresponding OCSP response function */ |
105 | | |
106 | | /* This is only used by server to indicate whether this |
107 | | * credentials can be used for signing in TLS 1.3. */ |
108 | | bool tls13_ok; |
109 | | } certificate_credentials_st; |
110 | | |
111 | | /* This is the information we keep for the peer |
112 | | * certificate. |
113 | | */ |
114 | | typedef struct cert_auth_info_st { |
115 | | /* These (dh/rsa) are just copies from the credentials_t structure. |
116 | | * They must be freed. |
117 | | */ |
118 | | dh_info_st dh; |
119 | | |
120 | | /* we store the peer's OCSP responses received during |
121 | | * this session. */ |
122 | | gnutls_datum_t *raw_ocsp_list; |
123 | | unsigned int nocsp; |
124 | | |
125 | | /* we store the peer's certificates received during |
126 | | * this ession */ |
127 | | gnutls_datum_t *raw_certificate_list; |
128 | | unsigned int ncerts; |
129 | | |
130 | | gnutls_certificate_type_t cert_type; |
131 | | } *cert_auth_info_t; |
132 | | |
133 | | typedef struct cert_auth_info_st cert_auth_info_st; |
134 | | |
135 | | /* AUTH X509 functions */ |
136 | | int _gnutls_gen_cert_server_crt(gnutls_session_t, gnutls_buffer_st *); |
137 | | int _gnutls_gen_cert_client_crt(gnutls_session_t, gnutls_buffer_st *); |
138 | | int _gnutls_gen_cert_client_crt_vrfy(gnutls_session_t, gnutls_buffer_st *); |
139 | | int _gnutls_gen_cert_server_cert_req(gnutls_session_t, gnutls_buffer_st *); |
140 | | int _gnutls_proc_cert_cert_req(gnutls_session_t, uint8_t *, size_t); |
141 | | int _gnutls_proc_cert_client_crt_vrfy(gnutls_session_t, uint8_t *, size_t); |
142 | | int _gnutls_proc_crt(gnutls_session_t, uint8_t *, size_t); |
143 | | int _gnutls_get_selected_cert(gnutls_session_t session, |
144 | | gnutls_pcert_st ** apr_cert_list, |
145 | | int *apr_cert_list_length, |
146 | | gnutls_privkey_t * apr_pkey); |
147 | | |
148 | | int |
149 | | _gnutls_select_client_cert(gnutls_session_t session, |
150 | | const uint8_t * _data, size_t _data_size, |
151 | | gnutls_pk_algorithm_t * pk_algos, |
152 | | int pk_algos_length); |
153 | | |
154 | | int _gnutls_pcert_to_auth_info(cert_auth_info_t info, gnutls_pcert_st * certs, |
155 | | size_t ncerts); |
156 | | |
157 | | int |
158 | | _gnutls_select_server_cert(gnutls_session_t session, |
159 | | const gnutls_cipher_suite_entry_st * cs); |
160 | | void _gnutls_selected_certs_deinit(gnutls_session_t session); |
161 | | |
162 | | int _gnutls_get_auth_info_pcert(gnutls_pcert_st * gcert, |
163 | | gnutls_certificate_type_t type, |
164 | | cert_auth_info_t info); |
165 | | |
166 | | int _gnutls_selected_cert_supported_kx(struct gnutls_session_int *session, |
167 | | gnutls_kx_algorithm_t * alg, |
168 | | int *alg_size); |
169 | | |
170 | | int _gnutls_check_key_cert_match(gnutls_certificate_credentials_t res); |
171 | | |
172 | | int _gnutls_gen_dhe_signature(gnutls_session_t session, |
173 | | gnutls_buffer_st * data, uint8_t * plain, |
174 | | unsigned plain_size); |
175 | | int _gnutls_proc_dhe_signature(gnutls_session_t session, uint8_t * data, |
176 | | size_t _data_size, gnutls_datum_t * vparams); |
177 | | |
178 | | int _gnutls_gen_rawpk_crt(gnutls_session_t session, gnutls_buffer_st * data); |
179 | | int _gnutls_proc_rawpk_crt(gnutls_session_t session, |
180 | | uint8_t * data, size_t data_size); |
181 | | |
182 | | inline static unsigned get_key_usage(gnutls_session_t session, |
183 | | gnutls_pubkey_t pubkey) |
184 | 0 | { |
185 | 0 | if (unlikely(session->internals.priorities && |
186 | 0 | session->internals. |
187 | 0 | priorities->allow_server_key_usage_violation)) |
188 | 0 | return 0; |
189 | 0 | else |
190 | 0 | return pubkey->key_usage; |
191 | 0 | } |
192 | | |
193 | | #endif /* GNUTLS_LIB_AUTH_CERT_H */ |