/**
* gnutls_certificate_set_x509_key_mem2:
* @res: is a #gnutls_certificate_credentials_t type.
* @cert: contains a certificate list (path) for the specified private key
* @key: is the private key, or %NULL
* @type: is PEM or DER
* @pass: is the key's password
* @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t
*
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t type. This function may be called
* more than once, in case multiple keys/certificates exist for the
* server.
*
* Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
* is supported. This means that certificates intended for signing cannot
* be used for ciphersuites that require encryption.
*
* If the certificate and the private key are given in PEM encoding
* then the strings that hold their values must be null terminated.
*
* The @key may be %NULL if you are using a sign callback, see
* gnutls_sign_callback_set().
*
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
**/
int
gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t res,
const gnutls_datum_t * cert,
const gnutls_datum_t * key,
gnutls_x509_crt_fmt_t type,
const char *pass, unsigned int flags)
{
int ret;
gnutls_privkey_t rkey;
/* this should be first
*/
if ((ret = _gnutls_read_key_mem(res, key ? key->data : NULL,
key ? key->size : 0, type, pass,
flags, &rkey)) < 0)
return ret;
if ((ret = read_cert_mem(res, rkey, cert->data, cert->size, type)) < 0) {
gnutls_privkey_deinit(rkey);
return ret;
}
res->ncerts++;
if (key && (ret = _gnutls_check_key_cert_match(res)) < 0) {
gnutls_assert();
return ret;
}
CRED_RET_SUCCESS(res);
}
/**
* gnutls_certificate_set_x509_key_file2:
* @res: is a #gnutls_certificate_credentials_t type.
* @certfile: is a file that containing the certificate list (path) for
* the specified private key, in PKCS7 format, or a list of certificates
* @keyfile: is a file that contains the private key
* @type: is PEM or DER
* @pass: is the password of the key
* @flags: an ORed sequence of gnutls_pkcs_encrypt_flags_t
*
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t type. This function may be
* called more than once, in case multiple keys/certificates exist for
* the server. For clients that need to send more than its own end
* entity certificate, e.g., also an intermediate CA cert, then the
* @certfile must contain the ordered certificate chain.
*
* Note that the names in the certificate provided will be considered
* when selecting the appropriate certificate to use (in case of multiple
* certificate/key pairs).
*
* This function can also accept URLs at @keyfile and @certfile. In that case it
* will use the private key and certificate indicated by the URLs. Note
* that the supported URLs are the ones indicated by gnutls_url_is_supported().
* Before GnuTLS 3.4.0 when a URL was specified, the @pass part was ignored and a
* PIN callback had to be registered, this is no longer the case in current releases.
*
* In case the @certfile is provided as a PKCS #11 URL, then the certificate, and its
* present issuers in the token are imported (i.e., forming the required trust chain).
*
* If that function fails to load the @res structure is at an undefined state, it must
* not be reused to load other keys or certificates.
*
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
**/
int
gnutls_certificate_set_x509_key_file2(gnutls_certificate_credentials_t res,
const char *certfile,
const char *keyfile,
gnutls_x509_crt_fmt_t type,
const char *pass, unsigned int flags)
{
int ret;
gnutls_privkey_t rkey;
/* this should be first
*/
if ((ret = _gnutls_read_key_file(res, keyfile, type, pass, flags, &rkey)) < 0)
return ret;
if ((ret = read_cert_file(res, rkey, certfile, type)) < 0) {
gnutls_privkey_deinit(rkey);
return ret;
}
res->ncerts++;
if ((ret = _gnutls_check_key_cert_match(res)) < 0) {
gnutls_assert();
return ret;
}
CRED_RET_SUCCESS(res);
}
/**
* gnutls_certificate_set_x509_key_file:
* @res: is a #gnutls_certificate_credentials_t structure.
* @certfile: is a file that containing the certificate list (path) for
* the specified private key, in PKCS7 format, or a list of certificates
* @keyfile: is a file that contains the private key
* @type: is PEM or DER
*
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t structure. This function may be
* called more than once (in case multiple keys/certificates exist for
* the server). For clients that wants to send more than its own end
* entity certificate (e.g., also an intermediate CA cert) then put
* the certificate chain in @certfile.
*
* Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
* this function.
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
int
gnutls_certificate_set_x509_key_file (gnutls_certificate_credentials_t res,
const char *certfile,
const char *keyfile,
gnutls_x509_crt_fmt_t type)
{
int ret;
/* this should be first
*/
if ((ret = read_key_file (res, keyfile, type)) < 0)
return ret;
if ((ret = read_cert_file (res, certfile, type)) < 0)
return ret;
res->ncerts++;
if ((ret = _gnutls_check_key_cert_match (res)) < 0)
{
gnutls_assert ();
return ret;
}
return 0;
}
/**
* gnutls_certificate_set_x509_key_mem:
* @res: is a #gnutls_certificate_credentials_t structure.
* @cert: contains a certificate list (path) for the specified private key
* @key: is the private key, or %NULL
* @type: is PEM or DER
*
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t structure. This function may be called
* more than once (in case multiple keys/certificates exist for the
* server).
*
* Currently are supported: RSA PKCS-1 encoded private keys,
* DSA private keys.
*
* DSA private keys are encoded the OpenSSL way, which is an ASN.1
* DER sequence of 6 INTEGERs - version, p, q, g, pub, priv.
*
* Note that the keyUsage (2.5.29.15) PKIX extension in X.509 certificates
* is supported. This means that certificates intended for signing cannot
* be used for ciphersuites that require encryption.
*
* If the certificate and the private key are given in PEM encoding
* then the strings that hold their values must be null terminated.
*
* The @key may be %NULL if you are using a sign callback, see
* gnutls_sign_callback_set().
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
int
gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res,
const gnutls_datum_t * cert,
const gnutls_datum_t * key,
gnutls_x509_crt_fmt_t type)
{
int ret;
/* this should be first
*/
if ((ret = read_key_mem (res, key ? key->data : NULL,
key ? key->size : 0, type)) < 0)
return ret;
if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0)
return ret;
res->ncerts++;
if (key && (ret = _gnutls_check_key_cert_match (res)) < 0)
{
gnutls_assert ();
return ret;
}
return 0;
}
/**
* gnutls_certificate_set_x509_key:
* @res: is a #gnutls_certificate_credentials_t type.
* @cert_list: contains a certificate list (path) for the specified private key
* @cert_list_size: holds the size of the certificate list
* @key: is a #gnutls_x509_privkey_t key
*
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t type. This function may be
* called more than once, in case multiple keys/certificates exist for
* the server. For clients that wants to send more than their own end
* entity certificate (e.g., also an intermediate CA cert) then put
* the certificate chain in @cert_list.
*
* Note that the certificates and keys provided, can be safely deinitialized
* after this function is called.
*
* If that function fails to load the @res type is at an undefined state, it must
* not be reused to load other keys or certificates.
*
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
* Since: 2.4.0
**/
int
gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res,
gnutls_x509_crt_t * cert_list,
int cert_list_size,
gnutls_x509_privkey_t key)
{
int ret;
gnutls_privkey_t pkey;
gnutls_pcert_st *pcerts = NULL;
gnutls_str_array_t names;
_gnutls_str_array_init(&names);
/* this should be first
*/
ret = gnutls_privkey_init(&pkey);
if (ret < 0) {
gnutls_assert();
return ret;
}
if (res->pin.cb)
gnutls_privkey_set_pin_function(pkey, res->pin.cb,
res->pin.data);
ret =
gnutls_privkey_import_x509(pkey, key,
GNUTLS_PRIVKEY_IMPORT_COPY);
if (ret < 0) {
gnutls_assert();
return ret;
}
/* load certificates */
pcerts = gnutls_malloc(sizeof(gnutls_pcert_st) * cert_list_size);
if (pcerts == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
ret = _gnutls_get_x509_name(cert_list[0], &names);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
gnutls_pcert_import_x509_list(pcerts, cert_list, (unsigned int*)&cert_list_size,
GNUTLS_X509_CRT_LIST_SORT);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
_gnutls_certificate_credential_append_keypair(res, pkey, names, pcerts,
cert_list_size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
res->ncerts++;
/* after this point we do not deinitialize anything on failure to avoid
* double freeing. We intentionally keep everything as the credentials state
* is documented to be on undefined state. */
if ((ret = _gnutls_check_key_cert_match(res)) < 0) {
gnutls_assert();
return ret;
}
CRED_RET_SUCCESS(res);
cleanup:
gnutls_free(pcerts);
_gnutls_str_array_clear(&names);
return ret;
}
/**
* gnutls_certificate_set_x509_key:
* @res: is a #gnutls_certificate_credentials_t structure.
* @cert_list: contains a certificate list (path) for the specified private key
* @cert_list_size: holds the size of the certificate list
* @key: is a gnutls_x509_privkey_t key
*
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t structure. This function may be
* called more than once (in case multiple keys/certificates exist for
* the server). For clients that wants to send more than its own end
* entity certificate (e.g., also an intermediate CA cert) then put
* the certificate chain in @cert_list.
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
*
* Since: 2.4.0
**/
int
gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
gnutls_x509_crt_t * cert_list,
int cert_list_size,
gnutls_x509_privkey_t key)
{
int ret, i;
/* this should be first
*/
res->pkey =
gnutls_realloc_fast (res->pkey,
(res->ncerts + 1) * sizeof (gnutls_privkey));
if (res->pkey == NULL)
{
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
ret = _gnutls_x509_privkey_to_gkey (&res->pkey[res->ncerts], key);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
res->cert_list = gnutls_realloc_fast (res->cert_list,
(1 +
res->ncerts) *
sizeof (gnutls_cert *));
if (res->cert_list == NULL)
{
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
res->cert_list_length = gnutls_realloc_fast (res->cert_list_length,
(1 +
res->ncerts) * sizeof (int));
if (res->cert_list_length == NULL)
{
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
res->cert_list[res->ncerts] = NULL; /* for realloc */
res->cert_list_length[res->ncerts] = 0;
for (i = 0; i < cert_list_size; i++)
{
ret = parse_crt_mem (&res->cert_list[res->ncerts],
&res->cert_list_length[res->ncerts], cert_list[i]);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
}
res->ncerts++;
if ((ret = _gnutls_check_key_cert_match (res)) < 0)
{
gnutls_assert ();
return ret;
}
return 0;
}
