/src/gnutls/lib/cert-cred-x509.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright (C) 2002-2016 Free Software Foundation, Inc. |
3 | | * Copyright (C) 2016-2017 Red Hat, Inc. |
4 | | * |
5 | | * Author: Nikos Mavrogiannopoulos |
6 | | * |
7 | | * This file is part of GnuTLS. |
8 | | * |
9 | | * The GnuTLS is free software; you can redistribute it and/or |
10 | | * modify it under the terms of the GNU Lesser General Public License |
11 | | * as published by the Free Software Foundation; either version 2.1 of |
12 | | * the License, or (at your option) any later version. |
13 | | * |
14 | | * This library is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
17 | | * Lesser General Public License for more details. |
18 | | * |
19 | | * You should have received a copy of the GNU Lesser General Public License |
20 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
21 | | * |
22 | | */ |
23 | | |
24 | | #include "gnutls_int.h" |
25 | | #include "auth.h" |
26 | | #include "errors.h" |
27 | | #include "auth/cert.h" |
28 | | #include "dh.h" |
29 | | #include "num.h" |
30 | | #include "datum.h" |
31 | | #include "pk.h" |
32 | | #include "algorithms.h" |
33 | | #include "global.h" |
34 | | #include "record.h" |
35 | | #include "tls-sig.h" |
36 | | #include "state.h" |
37 | | #include "pk.h" |
38 | | #include "str.h" |
39 | | #include "debug.h" |
40 | | #include "x509_b64.h" |
41 | | #include "x509.h" |
42 | | #include "x509/common.h" |
43 | | #include "x509/x509_int.h" |
44 | | #include "str_array.h" |
45 | | #include <gnutls/x509.h> |
46 | | #include "read-file.h" |
47 | | #include "system-keys.h" |
48 | | #include "urls.h" |
49 | | #include "cert-cred.h" |
50 | | #ifdef _WIN32 |
51 | | #include <wincrypt.h> |
52 | | #endif |
53 | | |
54 | | /* |
55 | | * This file includes functions related to adding certificates and other |
56 | | * related objects in a certificate credentials structure. |
57 | | */ |
58 | | |
59 | | /* Returns the name of the certificate of a null name |
60 | | */ |
61 | | int _gnutls_get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t *names) |
62 | 0 | { |
63 | 0 | size_t max_size; |
64 | 0 | int i, ret = 0, ret2; |
65 | 0 | char name[MAX_CN]; |
66 | 0 | unsigned have_dns_name = 0; |
67 | |
|
68 | 0 | for (i = 0; !(ret < 0); i++) { |
69 | 0 | max_size = sizeof(name); |
70 | |
|
71 | 0 | ret = gnutls_x509_crt_get_subject_alt_name(crt, i, name, |
72 | 0 | &max_size, NULL); |
73 | 0 | if (ret == GNUTLS_SAN_DNSNAME) { |
74 | 0 | have_dns_name = 1; |
75 | |
|
76 | 0 | ret2 = _gnutls_str_array_append_idna(names, name, |
77 | 0 | max_size); |
78 | 0 | if (ret2 < 0) { |
79 | 0 | _gnutls_str_array_clear(names); |
80 | 0 | return gnutls_assert_val(ret2); |
81 | 0 | } |
82 | 0 | } |
83 | 0 | } |
84 | | |
85 | 0 | if (have_dns_name == 0) { |
86 | 0 | max_size = sizeof(name); |
87 | 0 | ret = gnutls_x509_crt_get_dn_by_oid(crt, OID_X520_COMMON_NAME, |
88 | 0 | 0, 0, name, &max_size); |
89 | 0 | if (ret >= 0) { |
90 | 0 | ret = _gnutls_str_array_append_idna(names, name, |
91 | 0 | max_size); |
92 | 0 | if (ret < 0) { |
93 | 0 | _gnutls_str_array_clear(names); |
94 | 0 | return gnutls_assert_val(ret); |
95 | 0 | } |
96 | 0 | } |
97 | 0 | } |
98 | | |
99 | 0 | return 0; |
100 | 0 | } |
101 | | |
102 | | /* Reads a DER encoded certificate list from memory and stores it to a |
103 | | * gnutls_cert structure. Returns the number of certificates parsed. |
104 | | */ |
105 | | static int parse_der_cert_mem(gnutls_certificate_credentials_t res, |
106 | | gnutls_privkey_t key, const void *input_cert, |
107 | | int input_cert_size) |
108 | 0 | { |
109 | 0 | gnutls_datum_t tmp; |
110 | 0 | gnutls_x509_crt_t crt; |
111 | 0 | gnutls_pcert_st *ccert; |
112 | 0 | int ret; |
113 | 0 | gnutls_str_array_t names; |
114 | |
|
115 | 0 | _gnutls_str_array_init(&names); |
116 | |
|
117 | 0 | ccert = gnutls_malloc(sizeof(*ccert)); |
118 | 0 | if (ccert == NULL) { |
119 | 0 | gnutls_assert(); |
120 | 0 | return GNUTLS_E_MEMORY_ERROR; |
121 | 0 | } |
122 | | |
123 | 0 | ret = gnutls_x509_crt_init(&crt); |
124 | 0 | if (ret < 0) { |
125 | 0 | gnutls_assert(); |
126 | 0 | goto cleanup; |
127 | 0 | } |
128 | | |
129 | 0 | tmp.data = (uint8_t *)input_cert; |
130 | 0 | tmp.size = input_cert_size; |
131 | |
|
132 | 0 | ret = gnutls_x509_crt_import(crt, &tmp, GNUTLS_X509_FMT_DER); |
133 | 0 | if (ret < 0) { |
134 | 0 | gnutls_assert(); |
135 | 0 | gnutls_x509_crt_deinit(crt); |
136 | 0 | goto cleanup; |
137 | 0 | } |
138 | | |
139 | 0 | ret = _gnutls_get_x509_name(crt, &names); |
140 | 0 | if (ret < 0) { |
141 | 0 | gnutls_assert(); |
142 | 0 | gnutls_x509_crt_deinit(crt); |
143 | 0 | goto cleanup; |
144 | 0 | } |
145 | | |
146 | 0 | ret = gnutls_pcert_import_x509(ccert, crt, 0); |
147 | 0 | gnutls_x509_crt_deinit(crt); |
148 | |
|
149 | 0 | if (ret < 0) { |
150 | 0 | gnutls_assert(); |
151 | 0 | goto cleanup; |
152 | 0 | } |
153 | | |
154 | 0 | ret = _gnutls_certificate_credential_append_keypair(res, key, names, |
155 | 0 | ccert, 1); |
156 | 0 | if (ret < 0) { |
157 | 0 | gnutls_assert(); |
158 | 0 | goto cleanup; |
159 | 0 | } |
160 | | |
161 | 0 | return ret; |
162 | | |
163 | 0 | cleanup: |
164 | 0 | _gnutls_str_array_clear(&names); |
165 | 0 | gnutls_free(ccert); |
166 | 0 | return ret; |
167 | 0 | } |
168 | | |
169 | | /* Reads a base64 encoded certificate list from memory and stores it to |
170 | | * a gnutls_cert structure. Returns the number of certificate parsed. |
171 | | */ |
172 | | static int parse_pem_cert_mem(gnutls_certificate_credentials_t res, |
173 | | gnutls_privkey_t key, const char *input_cert, |
174 | | int input_cert_size) |
175 | 0 | { |
176 | 0 | int size; |
177 | 0 | const char *ptr; |
178 | 0 | gnutls_datum_t tmp; |
179 | 0 | int ret, count, i; |
180 | 0 | unsigned ncerts = 0; |
181 | 0 | gnutls_pcert_st *pcerts = NULL; |
182 | 0 | gnutls_str_array_t names; |
183 | 0 | gnutls_x509_crt_t unsorted[DEFAULT_MAX_VERIFY_DEPTH]; |
184 | |
|
185 | 0 | _gnutls_str_array_init(&names); |
186 | | |
187 | | /* move to the certificate |
188 | | */ |
189 | 0 | ptr = memmem(input_cert, input_cert_size, PEM_CERT_SEP, |
190 | 0 | sizeof(PEM_CERT_SEP) - 1); |
191 | 0 | if (ptr == NULL) |
192 | 0 | ptr = memmem(input_cert, input_cert_size, PEM_CERT_SEP2, |
193 | 0 | sizeof(PEM_CERT_SEP2) - 1); |
194 | |
|
195 | 0 | if (ptr == NULL) { |
196 | 0 | gnutls_assert(); |
197 | 0 | return GNUTLS_E_BASE64_DECODING_ERROR; |
198 | 0 | } |
199 | 0 | size = input_cert_size - (ptr - input_cert); |
200 | |
|
201 | 0 | count = 0; |
202 | |
|
203 | 0 | do { |
204 | 0 | tmp.data = (void *)ptr; |
205 | 0 | tmp.size = size; |
206 | |
|
207 | 0 | ret = gnutls_x509_crt_init(&unsorted[count]); |
208 | 0 | if (ret < 0) { |
209 | 0 | gnutls_assert(); |
210 | 0 | goto cleanup; |
211 | 0 | } |
212 | | |
213 | 0 | ret = gnutls_x509_crt_import(unsorted[count], &tmp, |
214 | 0 | GNUTLS_X509_FMT_PEM); |
215 | 0 | if (ret < 0) { |
216 | 0 | gnutls_assert(); |
217 | 0 | goto cleanup; |
218 | 0 | } |
219 | 0 | count++; |
220 | | |
221 | | /* now we move ptr after the pem header |
222 | | */ |
223 | 0 | ptr++; |
224 | 0 | size--; |
225 | | |
226 | | /* find the next certificate (if any) |
227 | | */ |
228 | |
|
229 | 0 | if (size > 0) { |
230 | 0 | char *ptr3; |
231 | |
|
232 | 0 | ptr3 = memmem(ptr, size, PEM_CERT_SEP, |
233 | 0 | sizeof(PEM_CERT_SEP) - 1); |
234 | 0 | if (ptr3 == NULL) |
235 | 0 | ptr3 = memmem(ptr, size, PEM_CERT_SEP2, |
236 | 0 | sizeof(PEM_CERT_SEP2) - 1); |
237 | |
|
238 | 0 | ptr = ptr3; |
239 | 0 | size = input_cert_size - (ptr - input_cert); |
240 | 0 | } else |
241 | 0 | ptr = NULL; |
242 | |
|
243 | 0 | } while (ptr != NULL && count < DEFAULT_MAX_VERIFY_DEPTH); |
244 | | |
245 | 0 | ret = _gnutls_get_x509_name(unsorted[0], &names); |
246 | 0 | if (ret < 0) { |
247 | 0 | gnutls_assert(); |
248 | 0 | goto cleanup; |
249 | 0 | } |
250 | | |
251 | 0 | pcerts = _gnutls_reallocarray(NULL, count, sizeof(gnutls_pcert_st)); |
252 | 0 | if (pcerts == NULL) { |
253 | 0 | gnutls_assert(); |
254 | 0 | return GNUTLS_E_MEMORY_ERROR; |
255 | 0 | } |
256 | | |
257 | 0 | ncerts = count; |
258 | 0 | ret = gnutls_pcert_import_x509_list(pcerts, unsorted, &ncerts, |
259 | 0 | GNUTLS_X509_CRT_LIST_SORT); |
260 | 0 | if (ret < 0) { |
261 | 0 | gnutls_free(pcerts); |
262 | 0 | gnutls_assert(); |
263 | 0 | goto cleanup; |
264 | 0 | } |
265 | | |
266 | 0 | ret = _gnutls_certificate_credential_append_keypair(res, key, names, |
267 | 0 | pcerts, ncerts); |
268 | 0 | if (ret < 0) { |
269 | 0 | gnutls_assert(); |
270 | 0 | goto cleanup; |
271 | 0 | } |
272 | | |
273 | 0 | for (i = 0; i < count; i++) |
274 | 0 | gnutls_x509_crt_deinit(unsorted[i]); |
275 | |
|
276 | 0 | return ncerts; |
277 | | |
278 | 0 | cleanup: |
279 | 0 | _gnutls_str_array_clear(&names); |
280 | 0 | for (i = 0; i < count; i++) |
281 | 0 | gnutls_x509_crt_deinit(unsorted[i]); |
282 | 0 | if (pcerts) { |
283 | 0 | for (i = 0; i < count; i++) |
284 | 0 | gnutls_pcert_deinit(&pcerts[i]); |
285 | 0 | gnutls_free(pcerts); |
286 | 0 | } |
287 | 0 | return ret; |
288 | 0 | } |
289 | | |
290 | | /* Reads a DER or PEM certificate from memory |
291 | | */ |
292 | | static int read_cert_mem(gnutls_certificate_credentials_t res, |
293 | | gnutls_privkey_t key, const void *cert, int cert_size, |
294 | | gnutls_x509_crt_fmt_t type) |
295 | 0 | { |
296 | 0 | int ret; |
297 | |
|
298 | 0 | if (type == GNUTLS_X509_FMT_DER) |
299 | 0 | ret = parse_der_cert_mem(res, key, cert, cert_size); |
300 | 0 | else |
301 | 0 | ret = parse_pem_cert_mem(res, key, cert, cert_size); |
302 | |
|
303 | 0 | if (ret < 0) { |
304 | 0 | gnutls_assert(); |
305 | 0 | return ret; |
306 | 0 | } |
307 | | |
308 | 0 | return ret; |
309 | 0 | } |
310 | | |
311 | | static int tmp_pin_cb(void *userdata, int attempt, const char *token_url, |
312 | | const char *token_label, unsigned int flags, char *pin, |
313 | | size_t pin_max) |
314 | 0 | { |
315 | 0 | const char *tmp_pin = userdata; |
316 | |
|
317 | 0 | if (attempt == 0) { |
318 | 0 | snprintf(pin, pin_max, "%s", tmp_pin); |
319 | 0 | return 0; |
320 | 0 | } |
321 | | |
322 | 0 | return -1; |
323 | 0 | } |
324 | | |
325 | | /* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type |
326 | | * indicates the certificate format. |
327 | | * |
328 | | * It returns the private key read in @rkey. |
329 | | */ |
330 | | int _gnutls_read_key_mem(gnutls_certificate_credentials_t res, const void *key, |
331 | | int key_size, gnutls_x509_crt_fmt_t type, |
332 | | const char *pass, unsigned int flags, |
333 | | gnutls_privkey_t *rkey) |
334 | 0 | { |
335 | 0 | int ret; |
336 | 0 | gnutls_datum_t tmp; |
337 | 0 | gnutls_privkey_t privkey; |
338 | |
|
339 | 0 | if (key) { |
340 | 0 | tmp.data = (uint8_t *)key; |
341 | 0 | tmp.size = key_size; |
342 | |
|
343 | 0 | ret = gnutls_privkey_init(&privkey); |
344 | 0 | if (ret < 0) { |
345 | 0 | gnutls_assert(); |
346 | 0 | return ret; |
347 | 0 | } |
348 | | |
349 | 0 | if (res->pin.cb) { |
350 | 0 | gnutls_privkey_set_pin_function(privkey, res->pin.cb, |
351 | 0 | res->pin.data); |
352 | 0 | } else if (pass != NULL) { |
353 | 0 | snprintf(res->pin_tmp, sizeof(res->pin_tmp), "%s", |
354 | 0 | pass); |
355 | 0 | gnutls_privkey_set_pin_function(privkey, tmp_pin_cb, |
356 | 0 | res->pin_tmp); |
357 | 0 | } |
358 | |
|
359 | 0 | ret = gnutls_privkey_import_x509_raw(privkey, &tmp, type, pass, |
360 | 0 | flags); |
361 | 0 | if (ret < 0) { |
362 | 0 | gnutls_assert(); |
363 | 0 | gnutls_privkey_deinit(privkey); |
364 | 0 | return ret; |
365 | 0 | } |
366 | | |
367 | 0 | *rkey = privkey; |
368 | 0 | } else { |
369 | 0 | gnutls_assert(); |
370 | 0 | return GNUTLS_E_INVALID_REQUEST; |
371 | 0 | } |
372 | | |
373 | 0 | return 0; |
374 | 0 | } |
375 | | |
376 | | /* Reads a private key from a token. |
377 | | */ |
378 | | static int read_key_url(gnutls_certificate_credentials_t res, const char *url, |
379 | | gnutls_privkey_t *rkey) |
380 | 0 | { |
381 | 0 | int ret; |
382 | 0 | gnutls_privkey_t pkey = NULL; |
383 | | |
384 | | /* allocate space for the pkey list |
385 | | */ |
386 | 0 | ret = gnutls_privkey_init(&pkey); |
387 | 0 | if (ret < 0) { |
388 | 0 | gnutls_assert(); |
389 | 0 | goto cleanup; |
390 | 0 | } |
391 | | |
392 | 0 | if (res->pin.cb) |
393 | 0 | gnutls_privkey_set_pin_function(pkey, res->pin.cb, |
394 | 0 | res->pin.data); |
395 | |
|
396 | 0 | ret = gnutls_privkey_import_url(pkey, url, 0); |
397 | 0 | if (ret < 0) { |
398 | 0 | gnutls_assert(); |
399 | 0 | goto cleanup; |
400 | 0 | } |
401 | | |
402 | 0 | *rkey = pkey; |
403 | |
|
404 | 0 | return 0; |
405 | | |
406 | 0 | cleanup: |
407 | 0 | if (pkey) |
408 | 0 | gnutls_privkey_deinit(pkey); |
409 | |
|
410 | 0 | return ret; |
411 | 0 | } |
412 | | |
413 | 0 | #define MAX_PKCS11_CERT_CHAIN 8 |
414 | | /* Reads a certificate key from a token. |
415 | | */ |
416 | | static int read_cert_url(gnutls_certificate_credentials_t res, |
417 | | gnutls_privkey_t key, const char *url) |
418 | 0 | { |
419 | 0 | int ret; |
420 | 0 | gnutls_x509_crt_t crt = NULL; |
421 | 0 | gnutls_pcert_st *ccert = NULL; |
422 | 0 | gnutls_str_array_t names; |
423 | 0 | gnutls_datum_t t = { NULL, 0 }; |
424 | 0 | unsigned i, count = 0; |
425 | |
|
426 | 0 | _gnutls_str_array_init(&names); |
427 | |
|
428 | 0 | ccert = _gnutls_reallocarray(NULL, MAX_PKCS11_CERT_CHAIN, |
429 | 0 | sizeof(*ccert)); |
430 | 0 | if (ccert == NULL) { |
431 | 0 | gnutls_assert(); |
432 | 0 | ret = GNUTLS_E_MEMORY_ERROR; |
433 | 0 | goto cleanup; |
434 | 0 | } |
435 | | |
436 | 0 | ret = gnutls_x509_crt_init(&crt); |
437 | 0 | if (ret < 0) { |
438 | 0 | gnutls_assert(); |
439 | 0 | goto cleanup; |
440 | 0 | } |
441 | | |
442 | 0 | if (res->pin.cb) |
443 | 0 | gnutls_x509_crt_set_pin_function(crt, res->pin.cb, |
444 | 0 | res->pin.data); |
445 | |
|
446 | 0 | ret = gnutls_x509_crt_import_url(crt, url, 0); |
447 | 0 | if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) |
448 | 0 | ret = gnutls_x509_crt_import_url(crt, url, |
449 | 0 | GNUTLS_PKCS11_OBJ_FLAG_LOGIN); |
450 | 0 | if (ret < 0) { |
451 | 0 | gnutls_assert(); |
452 | 0 | goto cleanup; |
453 | 0 | } |
454 | | |
455 | 0 | ret = _gnutls_get_x509_name(crt, &names); |
456 | 0 | if (ret < 0) { |
457 | 0 | gnutls_assert(); |
458 | 0 | goto cleanup; |
459 | 0 | } |
460 | | |
461 | | /* Try to load the whole certificate chain from the PKCS #11 token */ |
462 | 0 | for (i = 0; i < MAX_PKCS11_CERT_CHAIN; i++) { |
463 | 0 | ret = gnutls_x509_crt_check_issuer(crt, crt); |
464 | 0 | if (i > 0 && ret != 0) { |
465 | | /* self signed */ |
466 | 0 | break; |
467 | 0 | } |
468 | | |
469 | 0 | ret = gnutls_pcert_import_x509(&ccert[i], crt, 0); |
470 | 0 | if (ret < 0) { |
471 | 0 | gnutls_assert(); |
472 | 0 | goto cleanup; |
473 | 0 | } |
474 | 0 | count++; |
475 | |
|
476 | 0 | ret = _gnutls_get_raw_issuer(url, crt, &t, 0); |
477 | 0 | if (ret < 0) |
478 | 0 | break; |
479 | | |
480 | 0 | gnutls_x509_crt_deinit(crt); |
481 | 0 | crt = NULL; |
482 | 0 | ret = gnutls_x509_crt_init(&crt); |
483 | 0 | if (ret < 0) { |
484 | 0 | gnutls_assert(); |
485 | 0 | goto cleanup; |
486 | 0 | } |
487 | | |
488 | 0 | ret = gnutls_x509_crt_import(crt, &t, GNUTLS_X509_FMT_DER); |
489 | 0 | if (ret < 0) { |
490 | 0 | gnutls_assert(); |
491 | 0 | goto cleanup; |
492 | 0 | } |
493 | 0 | gnutls_free(t.data); |
494 | 0 | } |
495 | | |
496 | 0 | ret = _gnutls_certificate_credential_append_keypair(res, key, names, |
497 | 0 | ccert, count); |
498 | 0 | if (ret < 0) { |
499 | 0 | gnutls_assert(); |
500 | 0 | goto cleanup; |
501 | 0 | } |
502 | | |
503 | 0 | if (crt != NULL) |
504 | 0 | gnutls_x509_crt_deinit(crt); |
505 | |
|
506 | 0 | return 0; |
507 | 0 | cleanup: |
508 | 0 | if (crt != NULL) |
509 | 0 | gnutls_x509_crt_deinit(crt); |
510 | 0 | gnutls_free(t.data); |
511 | 0 | _gnutls_str_array_clear(&names); |
512 | 0 | gnutls_free(ccert); |
513 | 0 | return ret; |
514 | 0 | } |
515 | | |
516 | | /* Reads a certificate file |
517 | | */ |
518 | | static int read_cert_file(gnutls_certificate_credentials_t res, |
519 | | gnutls_privkey_t key, const char *certfile, |
520 | | gnutls_x509_crt_fmt_t type) |
521 | 0 | { |
522 | 0 | int ret; |
523 | 0 | size_t size; |
524 | 0 | char *data; |
525 | |
|
526 | 0 | if (gnutls_url_is_supported(certfile)) { |
527 | 0 | return read_cert_url(res, key, certfile); |
528 | 0 | } |
529 | | |
530 | 0 | data = read_file(certfile, RF_BINARY, &size); |
531 | |
|
532 | 0 | if (data == NULL) { |
533 | 0 | gnutls_assert(); |
534 | 0 | return GNUTLS_E_FILE_ERROR; |
535 | 0 | } |
536 | | |
537 | 0 | ret = read_cert_mem(res, key, data, size, type); |
538 | 0 | free(data); |
539 | |
|
540 | 0 | return ret; |
541 | 0 | } |
542 | | |
543 | | /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl |
544 | | * stores it). |
545 | | */ |
546 | | int _gnutls_read_key_file(gnutls_certificate_credentials_t res, |
547 | | const char *keyfile, gnutls_x509_crt_fmt_t type, |
548 | | const char *pass, unsigned int flags, |
549 | | gnutls_privkey_t *rkey) |
550 | 0 | { |
551 | 0 | int ret; |
552 | 0 | size_t size; |
553 | 0 | char *data; |
554 | |
|
555 | 0 | if (_gnutls_url_is_known(keyfile)) { |
556 | 0 | if (gnutls_url_is_supported(keyfile)) { |
557 | | /* if no PIN function is specified, and we have a PIN, |
558 | | * specify one */ |
559 | 0 | if (pass != NULL && res->pin.cb == NULL) { |
560 | 0 | snprintf(res->pin_tmp, sizeof(res->pin_tmp), |
561 | 0 | "%s", pass); |
562 | 0 | gnutls_certificate_set_pin_function( |
563 | 0 | res, tmp_pin_cb, res->pin_tmp); |
564 | 0 | } |
565 | |
|
566 | 0 | return read_key_url(res, keyfile, rkey); |
567 | 0 | } else |
568 | 0 | return gnutls_assert_val( |
569 | 0 | GNUTLS_E_UNIMPLEMENTED_FEATURE); |
570 | 0 | } |
571 | | |
572 | 0 | data = read_file(keyfile, RF_BINARY | RF_SENSITIVE, &size); |
573 | |
|
574 | 0 | if (data == NULL) { |
575 | 0 | gnutls_assert(); |
576 | 0 | return GNUTLS_E_FILE_ERROR; |
577 | 0 | } |
578 | | |
579 | 0 | ret = _gnutls_read_key_mem(res, data, size, type, pass, flags, rkey); |
580 | 0 | zeroize_key(data, size); |
581 | 0 | free(data); |
582 | |
|
583 | 0 | return ret; |
584 | 0 | } |
585 | | |
586 | | /** |
587 | | * gnutls_certificate_set_x509_key_mem: |
588 | | * @res: is a #gnutls_certificate_credentials_t type. |
589 | | * @cert: contains a certificate list (path) for the specified private key |
590 | | * @key: is the private key, or %NULL |
591 | | * @type: is PEM or DER |
592 | | * |
593 | | * This function sets a certificate/private key pair in the |
594 | | * gnutls_certificate_credentials_t type. This function may be called |
595 | | * more than once, in case multiple keys/certificates exist for the |
596 | | * server. |
597 | | * |
598 | | * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates |
599 | | * is supported. This means that certificates intended for signing cannot |
600 | | * be used for ciphersuites that require encryption. |
601 | | * |
602 | | * If the certificate and the private key are given in PEM encoding |
603 | | * then the strings that hold their values must be null terminated. |
604 | | * |
605 | | * The @key may be %NULL if you are using a sign callback, see |
606 | | * gnutls_sign_callback_set(). |
607 | | * |
608 | | * Note that, this function by default returns zero on success and a negative value on error. |
609 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
610 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
611 | | * |
612 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
613 | | * |
614 | | **/ |
615 | | int gnutls_certificate_set_x509_key_mem(gnutls_certificate_credentials_t res, |
616 | | const gnutls_datum_t *cert, |
617 | | const gnutls_datum_t *key, |
618 | | gnutls_x509_crt_fmt_t type) |
619 | 0 | { |
620 | 0 | return gnutls_certificate_set_x509_key_mem2(res, cert, key, type, NULL, |
621 | 0 | 0); |
622 | 0 | } |
623 | | |
624 | | /** |
625 | | * gnutls_certificate_set_x509_key_mem2: |
626 | | * @res: is a #gnutls_certificate_credentials_t type. |
627 | | * @cert: contains a certificate list (path) for the specified private key |
628 | | * @key: is the private key, or %NULL |
629 | | * @type: is PEM or DER |
630 | | * @pass: is the key's password |
631 | | * @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t |
632 | | * |
633 | | * This function sets a certificate/private key pair in the |
634 | | * gnutls_certificate_credentials_t type. This function may be called |
635 | | * more than once, in case multiple keys/certificates exist for the |
636 | | * server. |
637 | | * |
638 | | * Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates |
639 | | * is supported. This means that certificates intended for signing cannot |
640 | | * be used for ciphersuites that require encryption. |
641 | | * |
642 | | * If the certificate and the private key are given in PEM encoding |
643 | | * then the strings that hold their values must be null terminated. |
644 | | * |
645 | | * The @key may be %NULL if you are using a sign callback, see |
646 | | * gnutls_sign_callback_set(). |
647 | | * |
648 | | * Note that, this function by default returns zero on success and a negative value on error. |
649 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
650 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
651 | | * |
652 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
653 | | **/ |
654 | | int gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t res, |
655 | | const gnutls_datum_t *cert, |
656 | | const gnutls_datum_t *key, |
657 | | gnutls_x509_crt_fmt_t type, |
658 | | const char *pass, unsigned int flags) |
659 | 0 | { |
660 | 0 | int ret; |
661 | 0 | gnutls_privkey_t rkey; |
662 | | |
663 | | /* this should be first |
664 | | */ |
665 | 0 | if ((ret = _gnutls_read_key_mem(res, key ? key->data : NULL, |
666 | 0 | key ? key->size : 0, type, pass, flags, |
667 | 0 | &rkey)) < 0) |
668 | 0 | return ret; |
669 | | |
670 | 0 | if ((ret = read_cert_mem(res, rkey, cert->data, cert->size, type)) < |
671 | 0 | 0) { |
672 | 0 | gnutls_privkey_deinit(rkey); |
673 | 0 | return ret; |
674 | 0 | } |
675 | | |
676 | 0 | res->ncerts++; |
677 | |
|
678 | 0 | if (key && (ret = _gnutls_check_key_cert_match(res)) < 0) { |
679 | 0 | gnutls_assert(); |
680 | 0 | return ret; |
681 | 0 | } |
682 | | |
683 | 0 | CRED_RET_SUCCESS(res); |
684 | 0 | } |
685 | | |
686 | | /** |
687 | | * gnutls_certificate_set_x509_key: |
688 | | * @res: is a #gnutls_certificate_credentials_t type. |
689 | | * @cert_list: contains a certificate list (path) for the specified private key |
690 | | * @cert_list_size: holds the size of the certificate list |
691 | | * @key: is a #gnutls_x509_privkey_t key |
692 | | * |
693 | | * This function sets a certificate/private key pair in the |
694 | | * gnutls_certificate_credentials_t type. This function may be |
695 | | * called more than once, in case multiple keys/certificates exist for |
696 | | * the server. For clients that wants to send more than their own end |
697 | | * entity certificate (e.g., also an intermediate CA cert) then put |
698 | | * the certificate chain in @cert_list. |
699 | | * |
700 | | * Note that the certificates and keys provided, can be safely deinitialized |
701 | | * after this function is called. |
702 | | * |
703 | | * If that function fails to load the @res type is at an undefined state, it must |
704 | | * not be reused to load other keys or certificates. |
705 | | * |
706 | | * Note that, this function by default returns zero on success and a negative value on error. |
707 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
708 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
709 | | * |
710 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
711 | | * |
712 | | * Since: 2.4.0 |
713 | | **/ |
714 | | int gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, |
715 | | gnutls_x509_crt_t *cert_list, |
716 | | int cert_list_size, |
717 | | gnutls_x509_privkey_t key) |
718 | 0 | { |
719 | 0 | int ret; |
720 | 0 | int npcerts = 0; |
721 | 0 | gnutls_privkey_t pkey; |
722 | 0 | gnutls_pcert_st *pcerts = NULL; |
723 | 0 | gnutls_str_array_t names; |
724 | |
|
725 | 0 | if (cert_list == NULL || cert_list_size < 1) |
726 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
727 | | |
728 | 0 | _gnutls_str_array_init(&names); |
729 | | |
730 | | /* this should be first |
731 | | */ |
732 | 0 | ret = gnutls_privkey_init(&pkey); |
733 | 0 | if (ret < 0) { |
734 | 0 | gnutls_assert(); |
735 | 0 | return ret; |
736 | 0 | } |
737 | | |
738 | 0 | if (res->pin.cb) |
739 | 0 | gnutls_privkey_set_pin_function(pkey, res->pin.cb, |
740 | 0 | res->pin.data); |
741 | |
|
742 | 0 | ret = gnutls_privkey_import_x509(pkey, key, GNUTLS_PRIVKEY_IMPORT_COPY); |
743 | 0 | if (ret < 0) { |
744 | 0 | gnutls_assert(); |
745 | 0 | return ret; |
746 | 0 | } |
747 | | |
748 | | /* load certificates */ |
749 | 0 | pcerts = _gnutls_reallocarray(NULL, cert_list_size, |
750 | 0 | sizeof(gnutls_pcert_st)); |
751 | 0 | if (pcerts == NULL) { |
752 | 0 | gnutls_assert(); |
753 | 0 | return GNUTLS_E_MEMORY_ERROR; |
754 | 0 | } |
755 | | |
756 | 0 | ret = _gnutls_get_x509_name(cert_list[0], &names); |
757 | 0 | if (ret < 0) { |
758 | 0 | gnutls_assert(); |
759 | 0 | goto cleanup; |
760 | 0 | } |
761 | | |
762 | 0 | ret = gnutls_pcert_import_x509_list(pcerts, cert_list, |
763 | 0 | (unsigned int *)&cert_list_size, |
764 | 0 | GNUTLS_X509_CRT_LIST_SORT); |
765 | 0 | if (ret < 0) { |
766 | 0 | gnutls_assert(); |
767 | 0 | goto cleanup; |
768 | 0 | } |
769 | 0 | npcerts = cert_list_size; |
770 | |
|
771 | 0 | ret = _gnutls_certificate_credential_append_keypair(res, pkey, names, |
772 | 0 | pcerts, npcerts); |
773 | 0 | if (ret < 0) { |
774 | 0 | gnutls_assert(); |
775 | 0 | goto cleanup; |
776 | 0 | } |
777 | | |
778 | 0 | res->ncerts++; |
779 | | |
780 | | /* after this point we do not deinitialize anything on failure to avoid |
781 | | * double freeing. We intentionally keep everything as the credentials state |
782 | | * is documented to be on undefined state. */ |
783 | 0 | if ((ret = _gnutls_check_key_cert_match(res)) < 0) { |
784 | 0 | gnutls_assert(); |
785 | 0 | return ret; |
786 | 0 | } |
787 | | |
788 | 0 | CRED_RET_SUCCESS(res); |
789 | |
|
790 | 0 | cleanup: |
791 | 0 | while (npcerts-- > 0) |
792 | 0 | gnutls_pcert_deinit(&pcerts[npcerts]); |
793 | 0 | gnutls_free(pcerts); |
794 | 0 | _gnutls_str_array_clear(&names); |
795 | 0 | return ret; |
796 | 0 | } |
797 | | |
798 | | /** |
799 | | * gnutls_certificate_get_x509_key: |
800 | | * @res: is a #gnutls_certificate_credentials_t type. |
801 | | * @index: The index of the key to obtain. |
802 | | * @key: Location to store the key. |
803 | | * |
804 | | * Obtains a X.509 private key that has been stored in @res with one of |
805 | | * gnutls_certificate_set_x509_key(), gnutls_certificate_set_key(), |
806 | | * gnutls_certificate_set_x509_key_file(), |
807 | | * gnutls_certificate_set_x509_key_file2(), |
808 | | * gnutls_certificate_set_x509_key_mem(), or |
809 | | * gnutls_certificate_set_x509_key_mem2(). The returned key must be deallocated |
810 | | * with gnutls_x509_privkey_deinit() when no longer needed. |
811 | | * |
812 | | * The @index matches the return value of gnutls_certificate_set_x509_key() and friends |
813 | | * functions, when the %GNUTLS_CERTIFICATE_API_V2 flag is set. |
814 | | * |
815 | | * If there is no key with the given index, |
816 | | * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the key with the |
817 | | * given index is not a X.509 key, %GNUTLS_E_INVALID_REQUEST is returned. |
818 | | * |
819 | | * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code. |
820 | | * |
821 | | * Since: 3.4.0 |
822 | | */ |
823 | | int gnutls_certificate_get_x509_key(gnutls_certificate_credentials_t res, |
824 | | unsigned index, gnutls_x509_privkey_t *key) |
825 | 0 | { |
826 | 0 | if (index >= res->ncerts) { |
827 | 0 | gnutls_assert(); |
828 | 0 | return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; |
829 | 0 | } |
830 | | |
831 | 0 | return gnutls_privkey_export_x509(res->certs[index].pkey, key); |
832 | 0 | } |
833 | | |
834 | | /** |
835 | | * gnutls_certificate_get_x509_crt: |
836 | | * @res: is a #gnutls_certificate_credentials_t type. |
837 | | * @index: The index of the certificate list to obtain. |
838 | | * @crt_list: Where to store the certificate list. |
839 | | * @crt_list_size: Will hold the number of certificates. |
840 | | * |
841 | | * Obtains a X.509 certificate list that has been stored in @res with one of |
842 | | * gnutls_certificate_set_x509_key(), gnutls_certificate_set_key(), |
843 | | * gnutls_certificate_set_x509_key_file(), |
844 | | * gnutls_certificate_set_x509_key_file2(), |
845 | | * gnutls_certificate_set_x509_key_mem(), or |
846 | | * gnutls_certificate_set_x509_key_mem2(). Each certificate in the returned |
847 | | * certificate list must be deallocated with gnutls_x509_crt_deinit(), and the |
848 | | * list itself must be freed with gnutls_free(). |
849 | | * |
850 | | * The @index matches the return value of gnutls_certificate_set_x509_key() and friends |
851 | | * functions, when the %GNUTLS_CERTIFICATE_API_V2 flag is set. |
852 | | * |
853 | | * If there is no certificate with the given index, |
854 | | * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE is returned. If the certificate |
855 | | * with the given index is not a X.509 certificate, %GNUTLS_E_INVALID_REQUEST |
856 | | * is returned. The returned certificates must be deinitialized after |
857 | | * use, and the @crt_list pointer must be freed using gnutls_free(). |
858 | | * |
859 | | * Returns: %GNUTLS_E_SUCCESS (0) on success, or a negative error code. |
860 | | * |
861 | | * Since: 3.4.0 |
862 | | */ |
863 | | int gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res, |
864 | | unsigned index, |
865 | | gnutls_x509_crt_t **crt_list, |
866 | | unsigned *crt_list_size) |
867 | 0 | { |
868 | 0 | int ret; |
869 | 0 | unsigned i; |
870 | |
|
871 | 0 | if (index >= res->ncerts) { |
872 | 0 | gnutls_assert(); |
873 | 0 | return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; |
874 | 0 | } |
875 | | |
876 | 0 | *crt_list_size = res->certs[index].cert_list_length; |
877 | 0 | *crt_list = _gnutls_reallocarray(NULL, |
878 | 0 | res->certs[index].cert_list_length, |
879 | 0 | sizeof(gnutls_x509_crt_t)); |
880 | 0 | if (*crt_list == NULL) { |
881 | 0 | gnutls_assert(); |
882 | 0 | return GNUTLS_E_MEMORY_ERROR; |
883 | 0 | } |
884 | | |
885 | 0 | for (i = 0; i < res->certs[index].cert_list_length; ++i) { |
886 | 0 | ret = gnutls_pcert_export_x509(&res->certs[index].cert_list[i], |
887 | 0 | &(*crt_list)[i]); |
888 | 0 | if (ret < 0) { |
889 | 0 | while (i--) |
890 | 0 | gnutls_x509_crt_deinit((*crt_list)[i]); |
891 | 0 | gnutls_free(*crt_list); |
892 | |
|
893 | 0 | return gnutls_assert_val(ret); |
894 | 0 | } |
895 | 0 | } |
896 | | |
897 | 0 | return 0; |
898 | 0 | } |
899 | | |
900 | | /** |
901 | | * gnutls_certificate_set_trust_list: |
902 | | * @res: is a #gnutls_certificate_credentials_t type. |
903 | | * @tlist: is a #gnutls_x509_trust_list_t type |
904 | | * @flags: must be zero |
905 | | * |
906 | | * This function sets a trust list in the gnutls_certificate_credentials_t type. |
907 | | * |
908 | | * Note that the @tlist will become part of the credentials |
909 | | * structure and must not be deallocated. It will be automatically deallocated |
910 | | * when the @res structure is deinitialized. |
911 | | * |
912 | | * Since: 3.2.2 |
913 | | **/ |
914 | | void gnutls_certificate_set_trust_list(gnutls_certificate_credentials_t res, |
915 | | gnutls_x509_trust_list_t tlist, |
916 | | unsigned flags) |
917 | 0 | { |
918 | 0 | gnutls_x509_trust_list_deinit(res->tlist, 1); |
919 | |
|
920 | 0 | res->tlist = tlist; |
921 | 0 | } |
922 | | |
923 | | /** |
924 | | * gnutls_certificate_get_trust_list: |
925 | | * @res: is a #gnutls_certificate_credentials_t type. |
926 | | * @tlist: Location where to store the trust list. |
927 | | * |
928 | | * Obtains the list of trusted certificates stored in @res and writes a |
929 | | * pointer to it to the location @tlist. The pointer will point to memory |
930 | | * internal to @res, and must not be deinitialized. It will be automatically |
931 | | * deallocated when the @res structure is deinitialized. |
932 | | * |
933 | | * Since: 3.4.0 |
934 | | **/ |
935 | | void gnutls_certificate_get_trust_list(gnutls_certificate_credentials_t res, |
936 | | gnutls_x509_trust_list_t *tlist) |
937 | 0 | { |
938 | 0 | *tlist = res->tlist; |
939 | 0 | } |
940 | | |
941 | | /** |
942 | | * gnutls_certificate_set_x509_key_file: |
943 | | * @res: is a #gnutls_certificate_credentials_t type. |
944 | | * @certfile: is a file that containing the certificate list (path) for |
945 | | * the specified private key, in PKCS7 format, or a list of certificates |
946 | | * @keyfile: is a file that contains the private key |
947 | | * @type: is PEM or DER |
948 | | * |
949 | | * This function sets a certificate/private key pair in the |
950 | | * gnutls_certificate_credentials_t type. This function may be |
951 | | * called more than once, in case multiple keys/certificates exist for |
952 | | * the server. For clients that need to send more than its own end |
953 | | * entity certificate, e.g., also an intermediate CA cert, then the |
954 | | * @certfile must contain the ordered certificate chain. |
955 | | * |
956 | | * Note that the names in the certificate provided will be considered |
957 | | * when selecting the appropriate certificate to use (in case of multiple |
958 | | * certificate/key pairs). |
959 | | * |
960 | | * This function can also accept URLs at @keyfile and @certfile. In that case it |
961 | | * will use the private key and certificate indicated by the URLs. Note |
962 | | * that the supported URLs are the ones indicated by gnutls_url_is_supported(). |
963 | | * |
964 | | * In case the @certfile is provided as a PKCS #11 URL, then the certificate, and its |
965 | | * present issuers in the token are imported (i.e., forming the required trust chain). |
966 | | * |
967 | | * If that function fails to load the @res structure is at an undefined state, it must |
968 | | * not be reused to load other keys or certificates. |
969 | | * |
970 | | * Note that, this function by default returns zero on success and a negative value on error. |
971 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
972 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
973 | | * |
974 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
975 | | * |
976 | | * Since: 3.1.11 |
977 | | **/ |
978 | | int gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials_t res, |
979 | | const char *certfile, |
980 | | const char *keyfile, |
981 | | gnutls_x509_crt_fmt_t type) |
982 | 0 | { |
983 | 0 | return gnutls_certificate_set_x509_key_file2(res, certfile, keyfile, |
984 | 0 | type, NULL, 0); |
985 | 0 | } |
986 | | |
987 | | /** |
988 | | * gnutls_certificate_set_x509_key_file2: |
989 | | * @res: is a #gnutls_certificate_credentials_t type. |
990 | | * @certfile: is a file that containing the certificate list (path) for |
991 | | * the specified private key, in PKCS7 format, or a list of certificates |
992 | | * @keyfile: is a file that contains the private key |
993 | | * @type: is PEM or DER |
994 | | * @pass: is the password of the key |
995 | | * @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t |
996 | | * |
997 | | * This function sets a certificate/private key pair in the |
998 | | * gnutls_certificate_credentials_t type. This function may be |
999 | | * called more than once, in case multiple keys/certificates exist for |
1000 | | * the server. For clients that need to send more than its own end |
1001 | | * entity certificate, e.g., also an intermediate CA cert, then the |
1002 | | * @certfile must contain the ordered certificate chain. |
1003 | | * |
1004 | | * Note that the names in the certificate provided will be considered |
1005 | | * when selecting the appropriate certificate to use (in case of multiple |
1006 | | * certificate/key pairs). |
1007 | | * |
1008 | | * This function can also accept URLs at @keyfile and @certfile. In that case it |
1009 | | * will use the private key and certificate indicated by the URLs. Note |
1010 | | * that the supported URLs are the ones indicated by gnutls_url_is_supported(). |
1011 | | * Before GnuTLS 3.4.0 when a URL was specified, the @pass part was ignored and a |
1012 | | * PIN callback had to be registered, this is no longer the case in current releases. |
1013 | | * |
1014 | | * In case the @certfile is provided as a PKCS #11 URL, then the certificate, and its |
1015 | | * present issuers in the token are imported (i.e., forming the required trust chain). |
1016 | | * |
1017 | | * If that function fails to load the @res structure is at an undefined state, it must |
1018 | | * not be reused to load other keys or certificates. |
1019 | | * |
1020 | | * Note that, this function by default returns zero on success and a negative value on error. |
1021 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
1022 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
1023 | | * |
1024 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
1025 | | * |
1026 | | **/ |
1027 | | int gnutls_certificate_set_x509_key_file2(gnutls_certificate_credentials_t res, |
1028 | | const char *certfile, |
1029 | | const char *keyfile, |
1030 | | gnutls_x509_crt_fmt_t type, |
1031 | | const char *pass, unsigned int flags) |
1032 | 0 | { |
1033 | 0 | int ret; |
1034 | 0 | gnutls_privkey_t rkey; |
1035 | | |
1036 | | /* this should be first |
1037 | | */ |
1038 | 0 | if ((ret = _gnutls_read_key_file(res, keyfile, type, pass, flags, |
1039 | 0 | &rkey)) < 0) |
1040 | 0 | return ret; |
1041 | | |
1042 | 0 | if ((ret = read_cert_file(res, rkey, certfile, type)) < 0) { |
1043 | 0 | gnutls_privkey_deinit(rkey); |
1044 | 0 | return ret; |
1045 | 0 | } |
1046 | | |
1047 | 0 | res->ncerts++; |
1048 | |
|
1049 | 0 | if ((ret = _gnutls_check_key_cert_match(res)) < 0) { |
1050 | 0 | gnutls_assert(); |
1051 | 0 | return ret; |
1052 | 0 | } |
1053 | | |
1054 | 0 | CRED_RET_SUCCESS(res); |
1055 | 0 | } |
1056 | | |
1057 | | /** |
1058 | | * gnutls_certificate_set_x509_trust_mem: |
1059 | | * @res: is a #gnutls_certificate_credentials_t type. |
1060 | | * @ca: is a list of trusted CAs or a DER certificate |
1061 | | * @type: is DER or PEM |
1062 | | * |
1063 | | * This function adds the trusted CAs in order to verify client or |
1064 | | * server certificates. In case of a client this is not required to be |
1065 | | * called if the certificates are not verified using |
1066 | | * gnutls_certificate_verify_peers2(). This function may be called |
1067 | | * multiple times. |
1068 | | * |
1069 | | * In case of a server the CAs set here will be sent to the client if |
1070 | | * a certificate request is sent. This can be disabled using |
1071 | | * gnutls_certificate_send_x509_rdn_sequence(). |
1072 | | * |
1073 | | * Returns: the number of certificates processed or a negative error code |
1074 | | * on error. |
1075 | | **/ |
1076 | | int gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials_t res, |
1077 | | const gnutls_datum_t *ca, |
1078 | | gnutls_x509_crt_fmt_t type) |
1079 | 0 | { |
1080 | 0 | int ret; |
1081 | |
|
1082 | 0 | ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, ca, NULL, type, |
1083 | 0 | GNUTLS_TL_USE_IN_TLS, 0); |
1084 | 0 | if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) |
1085 | 0 | return 0; |
1086 | | |
1087 | 0 | return ret; |
1088 | 0 | } |
1089 | | |
1090 | | /** |
1091 | | * gnutls_certificate_set_x509_trust: |
1092 | | * @res: is a #gnutls_certificate_credentials_t type. |
1093 | | * @ca_list: is a list of trusted CAs |
1094 | | * @ca_list_size: holds the size of the CA list |
1095 | | * |
1096 | | * This function adds the trusted CAs in order to verify client |
1097 | | * or server certificates. In case of a client this is not required |
1098 | | * to be called if the certificates are not verified using |
1099 | | * gnutls_certificate_verify_peers2(). |
1100 | | * This function may be called multiple times. |
1101 | | * |
1102 | | * In case of a server the CAs set here will be sent to the client if |
1103 | | * a certificate request is sent. This can be disabled using |
1104 | | * gnutls_certificate_send_x509_rdn_sequence(). |
1105 | | * |
1106 | | * Returns: the number of certificates processed or a negative error code |
1107 | | * on error. |
1108 | | * |
1109 | | * Since: 2.4.0 |
1110 | | **/ |
1111 | | int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, |
1112 | | gnutls_x509_crt_t *ca_list, |
1113 | | int ca_list_size) |
1114 | 0 | { |
1115 | 0 | int ret, i, j; |
1116 | 0 | gnutls_x509_crt_t *new_list; |
1117 | |
|
1118 | 0 | if (ca_list == NULL || ca_list_size < 1) |
1119 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1120 | | |
1121 | 0 | new_list = _gnutls_reallocarray(NULL, ca_list_size, |
1122 | 0 | sizeof(gnutls_x509_crt_t)); |
1123 | 0 | if (!new_list) |
1124 | 0 | return GNUTLS_E_MEMORY_ERROR; |
1125 | | |
1126 | 0 | for (i = 0; i < ca_list_size; i++) { |
1127 | 0 | ret = gnutls_x509_crt_init(&new_list[i]); |
1128 | 0 | if (ret < 0) { |
1129 | 0 | gnutls_assert(); |
1130 | 0 | goto cleanup; |
1131 | 0 | } |
1132 | | |
1133 | 0 | ret = _gnutls_x509_crt_cpy(new_list[i], ca_list[i]); |
1134 | 0 | if (ret < 0) { |
1135 | 0 | gnutls_assert(); |
1136 | 0 | goto cleanup; |
1137 | 0 | } |
1138 | 0 | } |
1139 | | |
1140 | 0 | ret = gnutls_x509_trust_list_add_cas(res->tlist, new_list, ca_list_size, |
1141 | 0 | GNUTLS_TL_USE_IN_TLS); |
1142 | 0 | if (ret < 0) { |
1143 | 0 | gnutls_assert(); |
1144 | 0 | goto cleanup; |
1145 | 0 | } |
1146 | | |
1147 | 0 | gnutls_free(new_list); |
1148 | 0 | return ret; |
1149 | | |
1150 | 0 | cleanup: |
1151 | 0 | for (j = 0; j < i; j++) |
1152 | 0 | gnutls_x509_crt_deinit(new_list[j]); |
1153 | 0 | gnutls_free(new_list); |
1154 | |
|
1155 | 0 | return ret; |
1156 | 0 | } |
1157 | | |
1158 | | /** |
1159 | | * gnutls_certificate_set_x509_trust_file: |
1160 | | * @cred: is a #gnutls_certificate_credentials_t type. |
1161 | | * @cafile: is a file containing the list of trusted CAs (DER or PEM list) |
1162 | | * @type: is PEM or DER |
1163 | | * |
1164 | | * This function adds the trusted CAs in order to verify client or |
1165 | | * server certificates. In case of a client this is not required to |
1166 | | * be called if the certificates are not verified using |
1167 | | * gnutls_certificate_verify_peers2(). This function may be called |
1168 | | * multiple times. |
1169 | | * |
1170 | | * In case of a server the names of the CAs set here will be sent to |
1171 | | * the client if a certificate request is sent. This can be disabled |
1172 | | * using gnutls_certificate_send_x509_rdn_sequence(). |
1173 | | * |
1174 | | * This function can also accept URLs. In that case it |
1175 | | * will import all certificates that are marked as trusted. Note |
1176 | | * that the supported URLs are the ones indicated by gnutls_url_is_supported(). |
1177 | | * |
1178 | | * Returns: the number of certificates processed |
1179 | | **/ |
1180 | | int gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t cred, |
1181 | | const char *cafile, |
1182 | | gnutls_x509_crt_fmt_t type) |
1183 | 0 | { |
1184 | 0 | int ret; |
1185 | |
|
1186 | 0 | ret = gnutls_x509_trust_list_add_trust_file( |
1187 | 0 | cred->tlist, cafile, NULL, type, GNUTLS_TL_USE_IN_TLS, 0); |
1188 | 0 | if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) |
1189 | 0 | return 0; |
1190 | | |
1191 | 0 | return ret; |
1192 | 0 | } |
1193 | | |
1194 | | /** |
1195 | | * gnutls_certificate_set_x509_trust_dir: |
1196 | | * @cred: is a #gnutls_certificate_credentials_t type. |
1197 | | * @ca_dir: is a directory containing the list of trusted CAs (DER or PEM list) |
1198 | | * @type: is PEM or DER |
1199 | | * |
1200 | | * This function adds the trusted CAs present in the directory in order to |
1201 | | * verify client or server certificates. This function is identical |
1202 | | * to gnutls_certificate_set_x509_trust_file() but loads all certificates |
1203 | | * in a directory. |
1204 | | * |
1205 | | * Returns: the number of certificates processed |
1206 | | * |
1207 | | * Since: 3.3.6 |
1208 | | * |
1209 | | **/ |
1210 | | int gnutls_certificate_set_x509_trust_dir(gnutls_certificate_credentials_t cred, |
1211 | | const char *ca_dir, |
1212 | | gnutls_x509_crt_fmt_t type) |
1213 | 0 | { |
1214 | 0 | int ret; |
1215 | |
|
1216 | 0 | ret = gnutls_x509_trust_list_add_trust_dir( |
1217 | 0 | cred->tlist, ca_dir, NULL, type, GNUTLS_TL_USE_IN_TLS, 0); |
1218 | 0 | if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) |
1219 | 0 | return 0; |
1220 | | |
1221 | 0 | return ret; |
1222 | 0 | } |
1223 | | |
1224 | | /** |
1225 | | * gnutls_certificate_set_x509_system_trust: |
1226 | | * @cred: is a #gnutls_certificate_credentials_t type. |
1227 | | * |
1228 | | * This function adds the system's default trusted CAs in order to |
1229 | | * verify client or server certificates. |
1230 | | * |
1231 | | * In the case the system is currently unsupported %GNUTLS_E_UNIMPLEMENTED_FEATURE |
1232 | | * is returned. |
1233 | | * |
1234 | | * Returns: the number of certificates processed or a negative error code |
1235 | | * on error. |
1236 | | * |
1237 | | * Since: 3.0.20 |
1238 | | **/ |
1239 | | int gnutls_certificate_set_x509_system_trust( |
1240 | | gnutls_certificate_credentials_t cred) |
1241 | 0 | { |
1242 | 0 | return gnutls_x509_trust_list_add_system_trust(cred->tlist, |
1243 | 0 | GNUTLS_TL_USE_IN_TLS, 0); |
1244 | 0 | } |
1245 | | |
1246 | | /** |
1247 | | * gnutls_certificate_set_x509_crl_mem: |
1248 | | * @res: is a #gnutls_certificate_credentials_t type. |
1249 | | * @CRL: is a list of trusted CRLs. They should have been verified before. |
1250 | | * @type: is DER or PEM |
1251 | | * |
1252 | | * This function adds the trusted CRLs in order to verify client or |
1253 | | * server certificates. In case of a client this is not required to |
1254 | | * be called if the certificates are not verified using |
1255 | | * gnutls_certificate_verify_peers2(). This function may be called |
1256 | | * multiple times. |
1257 | | * |
1258 | | * Returns: number of CRLs processed, or a negative error code on error. |
1259 | | **/ |
1260 | | int gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t res, |
1261 | | const gnutls_datum_t *CRL, |
1262 | | gnutls_x509_crt_fmt_t type) |
1263 | 0 | { |
1264 | 0 | unsigned flags = GNUTLS_TL_USE_IN_TLS; |
1265 | 0 | int ret; |
1266 | |
|
1267 | 0 | if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) |
1268 | 0 | flags |= GNUTLS_TL_VERIFY_CRL | GNUTLS_TL_FAIL_ON_INVALID_CRL; |
1269 | |
|
1270 | 0 | ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL, type, |
1271 | 0 | flags, 0); |
1272 | 0 | if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) |
1273 | 0 | return 0; |
1274 | | |
1275 | 0 | return ret; |
1276 | 0 | } |
1277 | | |
1278 | | /** |
1279 | | * gnutls_certificate_set_x509_crl: |
1280 | | * @res: is a #gnutls_certificate_credentials_t type. |
1281 | | * @crl_list: is a list of trusted CRLs. They should have been verified before. |
1282 | | * @crl_list_size: holds the size of the crl_list |
1283 | | * |
1284 | | * This function adds the trusted CRLs in order to verify client or |
1285 | | * server certificates. In case of a client this is not required to |
1286 | | * be called if the certificates are not verified using |
1287 | | * gnutls_certificate_verify_peers2(). This function may be called |
1288 | | * multiple times. |
1289 | | * |
1290 | | * Returns: number of CRLs processed, or a negative error code on error. |
1291 | | * |
1292 | | * Since: 2.4.0 |
1293 | | **/ |
1294 | | int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, |
1295 | | gnutls_x509_crl_t *crl_list, |
1296 | | int crl_list_size) |
1297 | 0 | { |
1298 | 0 | int ret, i, j; |
1299 | 0 | gnutls_x509_crl_t *new_crl; |
1300 | 0 | unsigned flags; |
1301 | |
|
1302 | 0 | flags = GNUTLS_TL_USE_IN_TLS; |
1303 | 0 | if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) |
1304 | 0 | flags |= GNUTLS_TL_VERIFY_CRL | GNUTLS_TL_FAIL_ON_INVALID_CRL; |
1305 | |
|
1306 | 0 | new_crl = _gnutls_reallocarray(NULL, crl_list_size, |
1307 | 0 | sizeof(gnutls_x509_crl_t)); |
1308 | 0 | if (!new_crl) |
1309 | 0 | return GNUTLS_E_MEMORY_ERROR; |
1310 | | |
1311 | 0 | for (i = 0; i < crl_list_size; i++) { |
1312 | 0 | ret = gnutls_x509_crl_init(&new_crl[i]); |
1313 | 0 | if (ret < 0) { |
1314 | 0 | gnutls_assert(); |
1315 | 0 | goto cleanup; |
1316 | 0 | } |
1317 | | |
1318 | 0 | ret = _gnutls_x509_crl_cpy(new_crl[i], crl_list[i]); |
1319 | 0 | if (ret < 0) { |
1320 | 0 | gnutls_assert(); |
1321 | 0 | goto cleanup; |
1322 | 0 | } |
1323 | 0 | } |
1324 | | |
1325 | 0 | ret = gnutls_x509_trust_list_add_crls(res->tlist, new_crl, |
1326 | 0 | crl_list_size, flags, 0); |
1327 | 0 | if (ret < 0) { |
1328 | 0 | gnutls_assert(); |
1329 | 0 | goto cleanup; |
1330 | 0 | } |
1331 | | |
1332 | 0 | free(new_crl); |
1333 | 0 | return ret; |
1334 | | |
1335 | 0 | cleanup: |
1336 | 0 | for (j = 0; j < i; j++) |
1337 | 0 | gnutls_x509_crl_deinit(new_crl[j]); |
1338 | 0 | free(new_crl); |
1339 | |
|
1340 | 0 | return ret; |
1341 | 0 | } |
1342 | | |
1343 | | /** |
1344 | | * gnutls_certificate_set_x509_crl_file: |
1345 | | * @res: is a #gnutls_certificate_credentials_t type. |
1346 | | * @crlfile: is a file containing the list of verified CRLs (DER or PEM list) |
1347 | | * @type: is PEM or DER |
1348 | | * |
1349 | | * This function adds the trusted CRLs in order to verify client or server |
1350 | | * certificates. In case of a client this is not required |
1351 | | * to be called if the certificates are not verified using |
1352 | | * gnutls_certificate_verify_peers2(). |
1353 | | * This function may be called multiple times. |
1354 | | * |
1355 | | * Returns: number of CRLs processed or a negative error code on error. |
1356 | | **/ |
1357 | | int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t res, |
1358 | | const char *crlfile, |
1359 | | gnutls_x509_crt_fmt_t type) |
1360 | 0 | { |
1361 | 0 | int ret; |
1362 | 0 | unsigned flags = GNUTLS_TL_USE_IN_TLS; |
1363 | |
|
1364 | 0 | if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) |
1365 | 0 | flags |= GNUTLS_TL_VERIFY_CRL | GNUTLS_TL_FAIL_ON_INVALID_CRL; |
1366 | |
|
1367 | 0 | ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile, |
1368 | 0 | type, flags, 0); |
1369 | 0 | if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) |
1370 | 0 | return 0; |
1371 | | |
1372 | 0 | return ret; |
1373 | 0 | } |
1374 | | |
1375 | | #include <gnutls/pkcs12.h> |
1376 | | |
1377 | | /** |
1378 | | * gnutls_certificate_set_x509_simple_pkcs12_file: |
1379 | | * @res: is a #gnutls_certificate_credentials_t type. |
1380 | | * @pkcs12file: filename of file containing PKCS#12 blob. |
1381 | | * @type: is PEM or DER of the @pkcs12file. |
1382 | | * @password: optional password used to decrypt PKCS#12 file, bags and keys. |
1383 | | * |
1384 | | * This function sets a certificate/private key pair and/or a CRL in |
1385 | | * the gnutls_certificate_credentials_t type. This function may |
1386 | | * be called more than once (in case multiple keys/certificates exist |
1387 | | * for the server). |
1388 | | * |
1389 | | * PKCS#12 files with a MAC, encrypted bags and PKCS #8 |
1390 | | * private keys are supported. However, |
1391 | | * only password based security, and the same password for all |
1392 | | * operations, are supported. |
1393 | | * |
1394 | | * PKCS#12 file may contain many keys and/or certificates, and this |
1395 | | * function will try to auto-detect based on the key ID the certificate |
1396 | | * and key pair to use. If the PKCS#12 file contain the issuer of |
1397 | | * the selected certificate, it will be appended to the certificate |
1398 | | * to form a chain. |
1399 | | * |
1400 | | * If more than one private keys are stored in the PKCS#12 file, |
1401 | | * then only one key will be read (and it is undefined which one). |
1402 | | * |
1403 | | * It is believed that the limitations of this function is acceptable |
1404 | | * for most usage, and that any more flexibility would introduce |
1405 | | * complexity that would make it harder to use this functionality at |
1406 | | * all. |
1407 | | * |
1408 | | * Note that, this function by default returns zero on success and a negative value on error. |
1409 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
1410 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
1411 | | * |
1412 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
1413 | | * |
1414 | | **/ |
1415 | | int gnutls_certificate_set_x509_simple_pkcs12_file( |
1416 | | gnutls_certificate_credentials_t res, const char *pkcs12file, |
1417 | | gnutls_x509_crt_fmt_t type, const char *password) |
1418 | 0 | { |
1419 | 0 | gnutls_datum_t p12blob; |
1420 | 0 | size_t size; |
1421 | 0 | int ret; |
1422 | |
|
1423 | 0 | p12blob.data = |
1424 | 0 | (void *)read_file(pkcs12file, RF_BINARY | RF_SENSITIVE, &size); |
1425 | 0 | p12blob.size = (unsigned int)size; |
1426 | 0 | if (p12blob.data == NULL) { |
1427 | 0 | gnutls_assert(); |
1428 | 0 | return GNUTLS_E_FILE_ERROR; |
1429 | 0 | } |
1430 | | |
1431 | 0 | ret = gnutls_certificate_set_x509_simple_pkcs12_mem(res, &p12blob, type, |
1432 | 0 | password); |
1433 | 0 | zeroize_key(p12blob.data, p12blob.size); |
1434 | 0 | free(p12blob.data); |
1435 | 0 | p12blob.size = 0; |
1436 | |
|
1437 | 0 | return ret; |
1438 | 0 | } |
1439 | | |
1440 | | /** |
1441 | | * gnutls_certificate_set_x509_simple_pkcs12_mem: |
1442 | | * @res: is a #gnutls_certificate_credentials_t type. |
1443 | | * @p12blob: the PKCS#12 blob. |
1444 | | * @type: is PEM or DER of the @pkcs12file. |
1445 | | * @password: optional password used to decrypt PKCS#12 file, bags and keys. |
1446 | | * |
1447 | | * This function sets a certificate/private key pair and/or a CRL in |
1448 | | * the gnutls_certificate_credentials_t type. This function may |
1449 | | * be called more than once (in case multiple keys/certificates exist |
1450 | | * for the server). |
1451 | | * |
1452 | | * Encrypted PKCS#12 bags and PKCS#8 private keys are supported. However, |
1453 | | * only password based security, and the same password for all |
1454 | | * operations, are supported. |
1455 | | * |
1456 | | * PKCS#12 file may contain many keys and/or certificates, and this |
1457 | | * function will try to auto-detect based on the key ID the certificate |
1458 | | * and key pair to use. If the PKCS#12 file contain the issuer of |
1459 | | * the selected certificate, it will be appended to the certificate |
1460 | | * to form a chain. |
1461 | | * |
1462 | | * If more than one private keys are stored in the PKCS#12 file, |
1463 | | * then only one key will be read (and it is undefined which one). |
1464 | | * |
1465 | | * It is believed that the limitations of this function is acceptable |
1466 | | * for most usage, and that any more flexibility would introduce |
1467 | | * complexity that would make it harder to use this functionality at |
1468 | | * all. |
1469 | | * |
1470 | | * Note that, this function by default returns zero on success and a negative value on error. |
1471 | | * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() |
1472 | | * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. |
1473 | | * |
1474 | | * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). |
1475 | | * |
1476 | | * Since: 2.8.0 |
1477 | | **/ |
1478 | | int gnutls_certificate_set_x509_simple_pkcs12_mem( |
1479 | | gnutls_certificate_credentials_t res, const gnutls_datum_t *p12blob, |
1480 | | gnutls_x509_crt_fmt_t type, const char *password) |
1481 | 0 | { |
1482 | 0 | gnutls_pkcs12_t p12; |
1483 | 0 | gnutls_x509_privkey_t key = NULL; |
1484 | 0 | gnutls_x509_crt_t *chain = NULL; |
1485 | 0 | gnutls_x509_crl_t crl = NULL; |
1486 | 0 | unsigned int chain_size = 0, i; |
1487 | 0 | int ret, idx; |
1488 | |
|
1489 | 0 | ret = gnutls_pkcs12_init(&p12); |
1490 | 0 | if (ret < 0) { |
1491 | 0 | gnutls_assert(); |
1492 | 0 | return ret; |
1493 | 0 | } |
1494 | | |
1495 | 0 | ret = gnutls_pkcs12_import(p12, p12blob, type, 0); |
1496 | 0 | if (ret < 0) { |
1497 | 0 | gnutls_assert(); |
1498 | 0 | gnutls_pkcs12_deinit(p12); |
1499 | 0 | return ret; |
1500 | 0 | } |
1501 | | |
1502 | 0 | if (password) { |
1503 | 0 | ret = gnutls_pkcs12_verify_mac(p12, password); |
1504 | 0 | if (ret < 0) { |
1505 | 0 | gnutls_assert(); |
1506 | 0 | gnutls_pkcs12_deinit(p12); |
1507 | 0 | return ret; |
1508 | 0 | } |
1509 | 0 | } |
1510 | | |
1511 | 0 | ret = gnutls_pkcs12_simple_parse(p12, password, &key, &chain, |
1512 | 0 | &chain_size, NULL, NULL, &crl, 0); |
1513 | 0 | gnutls_pkcs12_deinit(p12); |
1514 | 0 | if (ret < 0) { |
1515 | 0 | gnutls_assert(); |
1516 | 0 | return ret; |
1517 | 0 | } |
1518 | | |
1519 | 0 | if (key && chain) { |
1520 | 0 | ret = gnutls_certificate_set_x509_key(res, chain, chain_size, |
1521 | 0 | key); |
1522 | 0 | if (ret < 0) { |
1523 | 0 | gnutls_assert(); |
1524 | 0 | goto done; |
1525 | 0 | } |
1526 | | |
1527 | 0 | idx = ret; |
1528 | 0 | } else { |
1529 | 0 | gnutls_assert(); |
1530 | 0 | ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; |
1531 | 0 | goto done; |
1532 | 0 | } |
1533 | | |
1534 | 0 | if (crl) { |
1535 | 0 | ret = gnutls_certificate_set_x509_crl(res, &crl, 1); |
1536 | 0 | if (ret < 0) { |
1537 | 0 | gnutls_assert(); |
1538 | 0 | goto done; |
1539 | 0 | } |
1540 | 0 | } |
1541 | | |
1542 | 0 | if (res->flags & GNUTLS_CERTIFICATE_API_V2) |
1543 | 0 | ret = idx; |
1544 | 0 | else |
1545 | 0 | ret = 0; |
1546 | |
|
1547 | 0 | done: |
1548 | 0 | if (chain) { |
1549 | 0 | for (i = 0; i < chain_size; i++) |
1550 | 0 | gnutls_x509_crt_deinit(chain[i]); |
1551 | 0 | gnutls_free(chain); |
1552 | 0 | } |
1553 | 0 | if (key) |
1554 | 0 | gnutls_x509_privkey_deinit(key); |
1555 | 0 | if (crl) |
1556 | 0 | gnutls_x509_crl_deinit(crl); |
1557 | |
|
1558 | 0 | return ret; |
1559 | 0 | } |
1560 | | |
1561 | | /** |
1562 | | * gnutls_certificate_free_crls: |
1563 | | * @sc: is a #gnutls_certificate_credentials_t type. |
1564 | | * |
1565 | | * This function will delete all the CRLs associated |
1566 | | * with the given credentials. |
1567 | | **/ |
1568 | | void gnutls_certificate_free_crls(gnutls_certificate_credentials_t sc) |
1569 | 0 | { |
1570 | | /* do nothing for now */ |
1571 | 0 | return; |
1572 | 0 | } |
1573 | | |
1574 | | /** |
1575 | | * gnutls_certificate_credentials_t: |
1576 | | * @cred: is a #gnutls_certificate_credentials_t type. |
1577 | | * @fn: A PIN callback |
1578 | | * @userdata: Data to be passed in the callback |
1579 | | * |
1580 | | * This function will set a callback function to be used when |
1581 | | * required to access a protected object. This function overrides any other |
1582 | | * global PIN functions. |
1583 | | * |
1584 | | * Note that this function must be called right after initialization |
1585 | | * to have effect. |
1586 | | * |
1587 | | * Since: 3.1.0 |
1588 | | **/ |
1589 | | void gnutls_certificate_set_pin_function(gnutls_certificate_credentials_t cred, |
1590 | | gnutls_pin_callback_t fn, |
1591 | | void *userdata) |
1592 | 0 | { |
1593 | 0 | cred->pin.cb = fn; |
1594 | 0 | cred->pin.data = userdata; |
1595 | 0 | } |