1 /*
2 * Copyright (C) 2011-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <https://www.gnu.org/licenses/>
20 *
21 */
22
23 #include "gnutls_int.h"
24 #include "errors.h"
25 #include <auth/cert.h>
26 #include <x509/common.h>
27 #include <x509.h>
28 #include "x509/x509_int.h"
29 #include <gnutls/x509.h>
30 #include "x509_b64.h"
31
32 /**
33 * gnutls_pcert_import_x509:
34 * @pcert: The pcert structure
35 * @crt: The certificate to be imported
36 * @flags: zero for now
37 *
38 * This convenience function will import the given certificate to a
39 * #gnutls_pcert_st structure. The structure must be deinitialized
40 * afterwards using gnutls_pcert_deinit();
41 *
42 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
43 * negative error value.
44 *
45 * Since: 3.0
46 **/
gnutls_pcert_import_x509(gnutls_pcert_st * pcert,gnutls_x509_crt_t crt,unsigned int flags)47 int gnutls_pcert_import_x509(gnutls_pcert_st * pcert,
48 gnutls_x509_crt_t crt, unsigned int flags)
49 {
50 int ret;
51
52 memset(pcert, 0, sizeof(*pcert));
53
54 pcert->type = GNUTLS_CRT_X509;
55 pcert->cert.data = NULL;
56
57 ret =
58 gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER,
59 &pcert->cert);
60 if (ret < 0) {
61 ret = gnutls_assert_val(ret);
62 goto cleanup;
63 }
64
65 ret = gnutls_pubkey_init(&pcert->pubkey);
66 if (ret < 0) {
67 ret = gnutls_assert_val(ret);
68 goto cleanup;
69 }
70
71 ret = gnutls_pubkey_import_x509(pcert->pubkey, crt, 0);
72 if (ret < 0) {
73 gnutls_pubkey_deinit(pcert->pubkey);
74 pcert->pubkey = NULL;
75 ret = gnutls_assert_val(ret);
76 goto cleanup;
77 }
78
79 return 0;
80
81 cleanup:
82 _gnutls_free_datum(&pcert->cert);
83
84 return ret;
85 }
86
87 /**
88 * gnutls_pcert_import_x509_list:
89 * @pcert_list: The structures to store the certificates; must not contain initialized #gnutls_pcert_st structures.
90 * @crt: The certificates to be imported
91 * @ncrt: The number of certificates in @crt; will be updated if necessary
92 * @flags: zero or %GNUTLS_X509_CRT_LIST_SORT
93 *
94 * This convenience function will import the given certificates to an
95 * already allocated set of #gnutls_pcert_st structures. The structures must
96 * be deinitialized afterwards using gnutls_pcert_deinit(). @pcert_list
97 * should contain space for at least @ncrt elements.
98 *
99 * In the case %GNUTLS_X509_CRT_LIST_SORT is specified and that
100 * function cannot sort the list, %GNUTLS_E_CERTIFICATE_LIST_UNSORTED
101 * will be returned. Currently sorting can fail if the list size
102 * exceeds an internal constraint (16).
103 *
104 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
105 * negative error value.
106 *
107 * Since: 3.4.0
108 **/
gnutls_pcert_import_x509_list(gnutls_pcert_st * pcert_list,gnutls_x509_crt_t * crt,unsigned * ncrt,unsigned int flags)109 int gnutls_pcert_import_x509_list(gnutls_pcert_st * pcert_list,
110 gnutls_x509_crt_t *crt, unsigned *ncrt,
111 unsigned int flags)
112 {
113 int ret;
114 unsigned i;
115 unsigned current = 0;
116 gnutls_x509_crt_t sorted[DEFAULT_MAX_VERIFY_DEPTH];
117 gnutls_x509_crt_t *s;
118
119 s = crt;
120
121 if (flags & GNUTLS_X509_CRT_LIST_SORT && *ncrt > 1) {
122 if (*ncrt > DEFAULT_MAX_VERIFY_DEPTH) {
123 ret = _gnutls_check_if_sorted(crt, *ncrt);
124 if (ret < 0) {
125 gnutls_assert();
126 return GNUTLS_E_CERTIFICATE_LIST_UNSORTED;
127 }
128 } else {
129 s = _gnutls_sort_clist(sorted, crt, ncrt, NULL);
130 if (s == crt) {
131 gnutls_assert();
132 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
133 }
134 }
135 }
136
137 for (i=0;i<*ncrt;i++) {
138 ret = gnutls_pcert_import_x509(&pcert_list[i], s[i], 0);
139 if (ret < 0) {
140 current = i;
141 goto cleanup;
142 }
143 }
144
145 return 0;
146
147 cleanup:
148 for (i=0;i<current;i++) {
149 gnutls_pcert_deinit(&pcert_list[i]);
150 }
151 return ret;
152
153 }
154
155 /**
156 * gnutls_pcert_list_import_x509_raw:
157 * @pcert_list: The structures to store the certificates; must not contain initialized #gnutls_pcert_st structures.
158 * @pcert_list_size: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
159 * @data: The certificates.
160 * @format: One of DER or PEM.
161 * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
162 *
163 * This function will import the provided DER or PEM encoded certificates to an
164 * already allocated set of #gnutls_pcert_st structures. The structures must
165 * be deinitialized afterwards using gnutls_pcert_deinit(). @pcert_list
166 * should contain space for at least @pcert_list_size elements.
167 *
168 * If the Certificate is PEM encoded it should have a header of "X509
169 * CERTIFICATE", or "CERTIFICATE".
170 *
171 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
172 * negative error value; if the @pcert list doesn't have enough space
173 * %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
174 *
175 * Since: 3.0
176 **/
177 int
gnutls_pcert_list_import_x509_raw(gnutls_pcert_st * pcert_list,unsigned int * pcert_list_size,const gnutls_datum_t * data,gnutls_x509_crt_fmt_t format,unsigned int flags)178 gnutls_pcert_list_import_x509_raw(gnutls_pcert_st *pcert_list,
179 unsigned int *pcert_list_size,
180 const gnutls_datum_t *data,
181 gnutls_x509_crt_fmt_t format,
182 unsigned int flags)
183 {
184 int ret;
185 unsigned int i = 0, j;
186 gnutls_x509_crt_t *crt;
187
188 crt = gnutls_malloc((*pcert_list_size) * sizeof(gnutls_x509_crt_t));
189
190 if (crt == NULL)
191 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
192
193 ret =
194 gnutls_x509_crt_list_import(crt, pcert_list_size, data, format,
195 flags);
196 if (ret < 0) {
197 ret = gnutls_assert_val(ret);
198 goto cleanup_crt;
199 }
200
201 for (i = 0; i < *pcert_list_size; i++) {
202 ret = gnutls_pcert_import_x509(&pcert_list[i], crt[i], flags);
203 if (ret < 0) {
204 ret = gnutls_assert_val(ret);
205 goto cleanup_pcert;
206 }
207 }
208
209 ret = 0;
210 goto cleanup;
211
212 cleanup_pcert:
213 for (j = 0; j < i; j++)
214 gnutls_pcert_deinit(&pcert_list[j]);
215
216 cleanup:
217 for (i = 0; i < *pcert_list_size; i++)
218 gnutls_x509_crt_deinit(crt[i]);
219
220 cleanup_crt:
221 gnutls_free(crt);
222 return ret;
223
224 }
225
226 /**
227 * gnutls_pcert_list_import_x509_url:
228 * @pcert_list: The structures to store the certificates; must not contain initialized #gnutls_pcert_st structures.
229 * @pcert_list_size: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
230 * @file: A file or supported URI with the certificates to load
231 * @format: %GNUTLS_X509_FMT_DER or %GNUTLS_X509_FMT_PEM if a file is given
232 * @pin_fn: a PIN callback if not globally set
233 * @pin_fn_userdata: parameter for the PIN callback
234 * @flags: zero or flags from %gnutls_certificate_import_flags
235 *
236 * This convenience function will import a certificate chain from the given
237 * file or supported URI to #gnutls_pcert_st structures. The structures
238 * must be deinitialized afterwards using gnutls_pcert_deinit().
239 *
240 * This function will always return a sorted certificate chain.
241 *
242 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
243 * negative error value; if the @pcert list doesn't have enough space
244 * %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
245 *
246 * Since: 3.6.3
247 **/
gnutls_pcert_list_import_x509_file(gnutls_pcert_st * pcert_list,unsigned * pcert_list_size,const char * file,gnutls_x509_crt_fmt_t format,gnutls_pin_callback_t pin_fn,void * pin_fn_userdata,unsigned int flags)248 int gnutls_pcert_list_import_x509_file(gnutls_pcert_st *pcert_list,
249 unsigned *pcert_list_size,
250 const char *file,
251 gnutls_x509_crt_fmt_t format,
252 gnutls_pin_callback_t pin_fn,
253 void *pin_fn_userdata,
254 unsigned int flags)
255 {
256 int ret, ret2;
257 unsigned i;
258 gnutls_x509_crt_t *crts = NULL;
259 unsigned crts_size = 0;
260 gnutls_datum_t data = {NULL, 0};
261
262 if (gnutls_url_is_supported(file) != 0) {
263 ret = gnutls_x509_crt_list_import_url(&crts, &crts_size, file, pin_fn, pin_fn_userdata, 0);
264 if (ret < 0) {
265 ret2 = gnutls_x509_crt_list_import_url(&crts, &crts_size, file, pin_fn, pin_fn_userdata, GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
266 if (ret2 >= 0) ret = ret2;
267 }
268
269 if (ret < 0) {
270 gnutls_assert();
271 goto cleanup;
272 }
273
274 } else { /* file */
275 ret = gnutls_load_file(file, &data);
276 if (ret < 0)
277 return gnutls_assert_val(ret);
278
279 ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &data, format, flags|GNUTLS_X509_CRT_LIST_SORT);
280 if (ret < 0) {
281 gnutls_assert();
282 goto cleanup;
283 }
284 }
285
286 if (crts_size > *pcert_list_size) {
287 gnutls_assert();
288 ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
289 goto cleanup;
290 }
291
292 ret = gnutls_pcert_import_x509_list(pcert_list, crts, &crts_size, flags);
293 if (ret < 0) {
294 gnutls_assert();
295 goto cleanup;
296 }
297 *pcert_list_size = crts_size;
298
299 ret = 0;
300 cleanup:
301 for (i=0;i<crts_size;i++)
302 gnutls_x509_crt_deinit(crts[i]);
303 gnutls_free(crts);
304 gnutls_free(data.data);
305 return ret;
306 }
307
308
309 /**
310 * gnutls_pcert_import_x509_raw:
311 * @pcert: The pcert structure
312 * @cert: The raw certificate to be imported
313 * @format: The format of the certificate
314 * @flags: zero for now
315 *
316 * This convenience function will import the given certificate to a
317 * #gnutls_pcert_st structure. The structure must be deinitialized
318 * afterwards using gnutls_pcert_deinit();
319 *
320 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
321 * negative error value.
322 *
323 * Since: 3.0
324 **/
gnutls_pcert_import_x509_raw(gnutls_pcert_st * pcert,const gnutls_datum_t * cert,gnutls_x509_crt_fmt_t format,unsigned int flags)325 int gnutls_pcert_import_x509_raw(gnutls_pcert_st * pcert,
326 const gnutls_datum_t * cert,
327 gnutls_x509_crt_fmt_t format,
328 unsigned int flags)
329 {
330 int ret;
331 gnutls_x509_crt_t crt;
332
333 memset(pcert, 0, sizeof(*pcert));
334
335 ret = gnutls_x509_crt_init(&crt);
336 if (ret < 0)
337 return gnutls_assert_val(ret);
338
339 ret = gnutls_x509_crt_import(crt, cert, format);
340 if (ret < 0) {
341 ret = gnutls_assert_val(ret);
342 goto cleanup;
343 }
344
345 ret = gnutls_pcert_import_x509(pcert, crt, flags);
346 if (ret < 0) {
347 ret = gnutls_assert_val(ret);
348 goto cleanup;
349 }
350
351 ret = 0;
352
353 cleanup:
354 gnutls_x509_crt_deinit(crt);
355
356 return ret;
357 }
358
359 /**
360 * gnutls_pcert_import_rawpk:
361 * @pcert: The pcert structure to import the data into.
362 * @pubkey: The raw public-key in #gnutls_pubkey_t format to be imported
363 * @flags: zero for now
364 *
365 * This convenience function will import (i.e. convert) the given raw
366 * public key @pubkey into a #gnutls_pcert_st structure. The structure
367 * must be deinitialized afterwards using gnutls_pcert_deinit(). The
368 * given @pubkey must not be deinitialized because it will be associated
369 * with the given @pcert structure and will be deinitialized with it.
370 *
371 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
372 * negative error value.
373 *
374 * Since: 3.6.6
375 **/
gnutls_pcert_import_rawpk(gnutls_pcert_st * pcert,gnutls_pubkey_t pubkey,unsigned int flags)376 int gnutls_pcert_import_rawpk(gnutls_pcert_st* pcert,
377 gnutls_pubkey_t pubkey, unsigned int flags)
378 {
379 int ret;
380
381 if (pubkey == NULL) {
382 return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
383 }
384
385 memset(pcert, 0, sizeof(*pcert));
386
387 /* A pcert struct holds a raw copy of the certificate data.
388 * Therefore we convert our gnutls_pubkey_t to its raw DER
389 * representation and copy it into our pcert. It is this raw data
390 * that will be transferred to the peer via a Certificate msg.
391 * According to the spec (RFC7250) a DER representation must be used.
392 */
393 ret = gnutls_pubkey_export2(pubkey, GNUTLS_X509_FMT_DER, &pcert->cert);
394 if (ret < 0) {
395 return gnutls_assert_val(ret);
396 }
397
398 pcert->pubkey = pubkey;
399
400 pcert->type = GNUTLS_CRT_RAWPK;
401
402 return GNUTLS_E_SUCCESS;
403 }
404
405 /**
406 * gnutls_pcert_import_rawpk_raw:
407 * @pcert: The pcert structure to import the data into.
408 * @rawpubkey: The raw public-key in #gnutls_datum_t format to be imported.
409 * @format: The format of the raw public-key. DER or PEM.
410 * @key_usage: An ORed sequence of %GNUTLS_KEY_* flags.
411 * @flags: zero for now
412 *
413 * This convenience function will import (i.e. convert) the given raw
414 * public key @rawpubkey into a #gnutls_pcert_st structure. The structure
415 * must be deinitialized afterwards using gnutls_pcert_deinit().
416 * Note that the caller is responsible for freeing @rawpubkey. All necessary
417 * values will be copied into @pcert.
418 *
419 * Key usage (as defined by X.509 extension (2.5.29.15)) can be explicitly
420 * set because there is no certificate structure around the key to define
421 * this value. See for more info gnutls_x509_crt_get_key_usage().
422 *
423 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
424 * negative error value.
425 *
426 * Since: 3.6.6
427 **/
gnutls_pcert_import_rawpk_raw(gnutls_pcert_st * pcert,const gnutls_datum_t * rawpubkey,gnutls_x509_crt_fmt_t format,unsigned int key_usage,unsigned int flags)428 int gnutls_pcert_import_rawpk_raw(gnutls_pcert_st* pcert,
429 const gnutls_datum_t* rawpubkey,
430 gnutls_x509_crt_fmt_t format,
431 unsigned int key_usage, unsigned int flags)
432 {
433 int ret;
434
435 if (rawpubkey == NULL) {
436 return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
437 }
438
439 memset(pcert, 0, sizeof(*pcert));
440
441 ret = gnutls_pubkey_init(&pcert->pubkey);
442 if (ret < 0) {
443 return gnutls_assert_val(ret);
444 }
445
446 // Convert our raw public-key to a gnutls_pubkey_t structure
447 ret = gnutls_pubkey_import(pcert->pubkey, rawpubkey, format);
448 if (ret < 0) {
449 return gnutls_assert_val(ret);
450 }
451
452 pcert->pubkey->key_usage = key_usage;
453
454 /* A pcert struct holds a raw copy of the certificate data.
455 * It is this raw data that will be transferred to the peer via a
456 * Certificate message. According to the spec (RFC7250) a DER
457 * representation must be used. Therefore we check the format and
458 * convert if necessary.
459 */
460 if (format == GNUTLS_X509_FMT_PEM) {
461 ret = _gnutls_fbase64_decode(PEM_PK,
462 rawpubkey->data, rawpubkey->size,
463 &pcert->cert);
464
465 if (ret < 0) {
466 gnutls_pubkey_deinit(pcert->pubkey);
467
468 return gnutls_assert_val(ret);
469 }
470 } else {
471 // Directly copy the raw DER data to our pcert
472 ret = _gnutls_set_datum(&pcert->cert, rawpubkey->data, rawpubkey->size);
473
474 if (ret < 0) {
475 gnutls_pubkey_deinit(pcert->pubkey);
476
477 return gnutls_assert_val(ret);
478 }
479 }
480
481 pcert->type = GNUTLS_CRT_RAWPK;
482
483 return GNUTLS_E_SUCCESS;
484 }
485
486 /**
487 * gnutls_pcert_export_x509:
488 * @pcert: The pcert structure.
489 * @crt: An initialized #gnutls_x509_crt_t.
490 *
491 * Converts the given #gnutls_pcert_t type into a #gnutls_x509_crt_t.
492 * This function only works if the type of @pcert is %GNUTLS_CRT_X509.
493 * When successful, the value written to @crt must be freed with
494 * gnutls_x509_crt_deinit() when no longer needed.
495 *
496 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
497 * negative error value.
498 *
499 * Since: 3.4.0
500 */
gnutls_pcert_export_x509(gnutls_pcert_st * pcert,gnutls_x509_crt_t * crt)501 int gnutls_pcert_export_x509(gnutls_pcert_st * pcert,
502 gnutls_x509_crt_t * crt)
503 {
504 int ret;
505
506 if (pcert->type != GNUTLS_CRT_X509) {
507 gnutls_assert();
508 return GNUTLS_E_INVALID_REQUEST;
509 }
510
511 ret = gnutls_x509_crt_init(crt);
512 if (ret < 0)
513 return gnutls_assert_val(ret);
514
515 ret = gnutls_x509_crt_import(*crt, &pcert->cert, GNUTLS_X509_FMT_DER);
516 if (ret < 0) {
517 gnutls_x509_crt_deinit(*crt);
518 *crt = NULL;
519
520 return gnutls_assert_val(ret);
521 }
522
523 return 0;
524 }
525
526 /**
527 * gnutls_pcert_deinit:
528 * @pcert: The structure to be deinitialized
529 *
530 * This function will deinitialize a pcert structure.
531 *
532 * Since: 3.0
533 **/
gnutls_pcert_deinit(gnutls_pcert_st * pcert)534 void gnutls_pcert_deinit(gnutls_pcert_st * pcert)
535 {
536 if (pcert->pubkey)
537 gnutls_pubkey_deinit(pcert->pubkey);
538 pcert->pubkey = NULL;
539 _gnutls_free_datum(&pcert->cert);
540 }
541
542 /* Converts the first certificate for the cert_auth_info structure
543 * to a pcert.
544 */
545 int
_gnutls_get_auth_info_pcert(gnutls_pcert_st * pcert,gnutls_certificate_type_t type,cert_auth_info_t info)546 _gnutls_get_auth_info_pcert(gnutls_pcert_st * pcert,
547 gnutls_certificate_type_t type,
548 cert_auth_info_t info)
549 {
550 switch (type) {
551 case GNUTLS_CRT_X509:
552 return gnutls_pcert_import_x509_raw(pcert,
553 &info->raw_certificate_list[0],
554 GNUTLS_X509_FMT_DER,
555 0);
556 case GNUTLS_CRT_RAWPK:
557 return gnutls_pcert_import_rawpk_raw(pcert,
558 &info->raw_certificate_list[0],
559 GNUTLS_X509_FMT_DER,
560 0, 0);
561 default:
562 return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
563 }
564 }
565