static gint get_number_and_type_of_certificates(gnutls_datum_t *datum,
gnutls_x509_crt_fmt_t *format)
{
gnutls_x509_crt_t fake = 0;
guint retval = 1;
gint res = 0;
g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__);
res = gnutls_x509_crt_list_import(&fake, &retval, datum,
GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
if(GNUTLS_E_SHORT_MEMORY_BUFFER==res || 0<res)
{
*format = GNUTLS_X509_FMT_PEM;
return retval;
}
/* Try DER */
res = gnutls_x509_crt_list_import(&fake, &retval, datum,
GNUTLS_X509_FMT_DER, 0);
if(0 < res)
{
*format = GNUTLS_X509_FMT_DER;
return retval;
}
return res;
}
void SslContext::setCertFile(const std::string& filename)
{
if (error_) return;
if (!enabled) return;
TRACE("SslContext::setCertFile: \"%s\"", filename.c_str());
gnutls_datum_t data;
error_ = loadFile(data, filename);
if (error_) {
log(x0::Severity::error, "Error loading certificate file(%s): %s", filename.c_str(), error_.message().c_str());
return;
}
numX509Certs_ = sizeof(x509Certs_) / sizeof(*x509Certs_); // 8
int rv;
rv = gnutls_x509_crt_list_import(x509Certs_, &numX509Certs_, &data, GNUTLS_X509_FMT_PEM, 0);
if (rv < 0)
TRACE("gnutls_x509_crt_list_import: \"%s\"", gnutls_strerror(rv));
for (unsigned i = 0; i < numX509Certs_; ++i) {
// read Common Name (CN):
TRACE("retrieving Common Name");
std::size_t len = 0;
rv = gnutls_x509_crt_get_dn_by_oid(x509Certs_[i], GNUTLS_OID_X520_COMMON_NAME, 0, 0, nullptr, &len);
if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
char *buf = new char[len + 1];
rv = gnutls_x509_crt_get_dn_by_oid(x509Certs_[i], GNUTLS_OID_X520_COMMON_NAME, 0, 0, buf, &len);
if (rv < 0)
TRACE("gnutls_x509_crt_get_dn_by_oid: \"%s\"", gnutls_strerror(rv));
certCN_ = buf;
delete[] buf;
TRACE("setCertFile: Common Name: \"%s\"", certCN_.c_str());
}
// read Subject Alternative-Name:
TRACE("retrieving Alternative-Name");
for (int k = 0; !(rv < 0); ++k) {
len = 0;
rv = gnutls_x509_crt_get_subject_alt_name(x509Certs_[i], k, nullptr, &len, nullptr);
if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) {
char *buf = new char[len + 1];
rv = gnutls_x509_crt_get_subject_alt_name(x509Certs_[i], k, buf, &len, nullptr);
if (rv < 0)
TRACE("gnutls_x509_crt_get_subject_alt_name: \"%s\"", gnutls_strerror(rv));
buf[len] = '\0';
if (rv == GNUTLS_SAN_DNSNAME)
dnsNames_.push_back(buf);
TRACE("setCertFile: Subject: \"%s\"", buf);
delete[] buf;
}
}
}
freeFile(data);
TRACE("setCertFile: success.");
}
int
ca_cmd(struct tab *t, struct karg *args)
{
FILE *f = NULL;
int rv = 1, certs = 0, certs_read;
struct stat sb;
gnutls_datum_t dt;
gnutls_x509_crt_t *c = NULL;
char *certs_buf = NULL, *s;
if ((f = fopen(ssl_ca_file, "r")) == NULL) {
show_oops(t, "Can't open CA file: %s", ssl_ca_file);
return (1);
}
if (fstat(fileno(f), &sb) == -1) {
show_oops(t, "Can't stat CA file: %s", ssl_ca_file);
goto done;
}
certs_buf = g_malloc(sb.st_size + 1);
if (fread(certs_buf, 1, sb.st_size, f) != sb.st_size) {
show_oops(t, "Can't read CA file: %s", strerror(errno));
goto done;
}
certs_buf[sb.st_size] = '\0';
s = certs_buf;
while ((s = strstr(s, "BEGIN CERTIFICATE"))) {
certs++;
s += strlen("BEGIN CERTIFICATE");
}
bzero(&dt, sizeof dt);
dt.data = (unsigned char *)certs_buf;
dt.size = sb.st_size;
c = g_malloc(sizeof(gnutls_x509_crt_t) * certs);
certs_read = gnutls_x509_crt_list_import(c, (unsigned int *)&certs, &dt,
GNUTLS_X509_FMT_PEM, 0);
if (certs_read <= 0) {
show_oops(t, "No cert(s) available");
goto done;
}
show_certs(t, c, certs_read, "Certificate Authority Certificates");
done:
if (c)
g_free(c);
if (certs_buf)
g_free(certs_buf);
if (f)
fclose(f);
return (rv);
}
/** Import */
X509CertList(const std::string& certstr)
{
unsigned int certcount = 3;
certs.resize(certcount);
Datum datum(certstr);
int ret = gnutls_x509_crt_list_import(raw(), &certcount, datum.get(), GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
// the buffer wasn't big enough to hold all certs but gnutls changed certcount to the number of available certs,
// try again with a bigger buffer
certs.resize(certcount);
ret = gnutls_x509_crt_list_import(raw(), &certcount, datum.get(), GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
}
ThrowOnError(ret, "Unable to load certificates");
// Resize the vector to the actual number of certs because we rely on its size being correct
// when deallocating the certs
certs.resize(certcount);
}
void
doit (void)
{
gnutls_certificate_credentials_t x509_cred;
int ret;
unsigned int i;
gnutls_x509_crt_t issuer;
gnutls_x509_crt_t list[LIST_SIZE];
char dn[128];
size_t dn_size;
unsigned int list_size;
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (6);
gnutls_certificate_allocate_credentials (&x509_cred);
gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key,
GNUTLS_X509_FMT_PEM);
/* test for gnutls_certificate_get_issuer() */
list_size = LIST_SIZE;
ret = gnutls_x509_crt_list_import(list, &list_size, &cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret < 0)
fail("gnutls_x509_crt_list_import");
ret = gnutls_certificate_get_issuer(x509_cred, list[0], &issuer, 0);
if (ret < 0)
fail("gnutls_certificate_get_isser");
dn_size = sizeof(dn);
ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size);
if (ret < 0)
fail("gnutls_certificate_get_isser");
if (debug)
fprintf(stderr, "Issuer's DN: %s\n", dn);
for (i=0;i<list_size;i++)
gnutls_x509_crt_deinit(list[i]);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug) success("success");
}
static gnutls_x509_crt_t *load_ca_list_file(const char *path,
size_t *out_list_size,
crypto_error **error)
{
gnutls_x509_crt_t *list;
gnutls_datum dt = { NULL, 0 };
size_t fsize = 0;
int err;
unsigned int num = 200;
dt.data = crypto_read_file(path, &fsize, error);
if (!dt.data)
return NULL;
dt.size = (unsigned int) fsize;
list = gnutls_malloc(sizeof(gnutls_x509_crt_t) * num);
if (!list) {
crypto_error_set(error, 1, ENOMEM, "not enough memory for CA list");
goto out;
}
err = gnutls_x509_crt_list_import(list, &num, &dt, GNUTLS_X509_FMT_PEM, 0);
if (err <= 0) {
/* DER then maybe */
gnutls_free(list);
list = load_one_ca_file(path, error);
if (!list)
goto out;
num = 1;
} else
num = err; /* gnutls_x509_crt_list_import() returns # read */
if (err < 0) {
crypto_error_set(error, 1, 0, "importing CA list (%d)", err);
gnutls_free(list);
list = NULL;
} else
*out_list_size = num;
out:
gnutls_free(dt.data);
return list;
}
static int
qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 *creds,
const char *certFile,
gnutls_x509_crt_t *certs,
unsigned int certMax,
size_t *ncerts,
Error **errp)
{
gnutls_datum_t data;
char *buf = NULL;
gsize buflen;
int ret = -1;
GError *gerr = NULL;
*ncerts = 0;
trace_qcrypto_tls_creds_x509_load_cert_list(creds, certFile);
if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) {
error_setg(errp, "Cannot load CA cert list %s: %s",
certFile, gerr->message);
g_error_free(gerr);
goto cleanup;
}
data.data = (unsigned char *)buf;
data.size = strlen(buf);
if (gnutls_x509_crt_list_import(certs, &certMax, &data,
GNUTLS_X509_FMT_PEM, 0) < 0) {
error_setg(errp,
"Unable to import CA certificate list %s",
certFile);
goto cleanup;
}
*ncerts = certMax;
ret = 0;
cleanup:
g_free(buf);
return ret;
}
static gboolean build_gnutls_ca_and_crl_lists(GIOSchedulerJob *job,
GCancellable *cancellable, gpointer user_data)
{
HevImpathyTLSVerifier *self = HEV_IMPATHY_TLS_VERIFIER(user_data);
HevImpathyTLSVerifierPrivate *priv =
HEV_IMPATHY_TLS_VERIFIER_GET_PRIVATE(self);
gint idx = 0;
gchar *user_certs_dir = NULL;
GDir *dir = NULL;
GError *error = NULL;
g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__);
priv->trusted_ca_list = g_ptr_array_new_with_free_func(
(GDestroyNotify)gnutls_x509_crt_deinit);
for(idx=0; idx<(gint)G_N_ELEMENTS(system_ca_paths)-1; idx++)
{
const gchar *path = NULL;
gchar *contents = NULL;
gsize length = 0;
gint res = 0, n_certs = 0;
gnutls_x509_crt_t *cert_list = NULL;
gnutls_datum_t datum = { NULL, 0 };
gnutls_x509_crt_fmt_t format = 0;
path = system_ca_paths[idx];
g_file_get_contents(path, &contents, &length, &error);
if(NULL != error)
{
g_clear_error(&error);
continue;
}
datum.data = (guchar *)contents;
datum.size = length;
n_certs = get_number_and_type_of_certificates(&datum, &format);
if(0 > n_certs)
{
g_free(contents);
continue;
}
cert_list = g_malloc0(sizeof(gnutls_x509_crt_t) * n_certs);
res = gnutls_x509_crt_list_import(cert_list, (guint *)&n_certs,
&datum, format, 0);
if(0 > res)
{
g_free(contents);
continue;
}
for(idx=0; idx<n_certs; idx++)
g_ptr_array_add(priv->trusted_ca_list, cert_list[idx]);
g_free(contents);
g_free(cert_list);
}
/* user certs */
user_certs_dir = g_build_filename(g_get_user_config_dir(),
"telepathy", "certs", NULL);
dir = g_dir_open(user_certs_dir, 0, &error);
if(NULL == error)
{
const gchar *cert_name = NULL;
while(NULL != (cert_name=g_dir_read_name(dir)))
{
gchar *contents = NULL, *cert_path = NULL;
gsize length = 0;
gint res = 0;
gnutls_datum_t datum = { NULL, 0 };
gnutls_x509_crt_t cert = 0;
cert_path = g_build_filename(user_certs_dir, cert_name, NULL);
g_file_get_contents(cert_path, &contents, &length, &error);
if(NULL != error)
{
g_clear_error(&error);
g_free(cert_path);
continue;
}
datum.data = (guchar *)contents;
datum.size = length;
gnutls_x509_crt_init(&cert);
res = gnutls_x509_crt_import(cert, &datum,
GNUTLS_X509_FMT_PEM);
if(GNUTLS_E_SUCCESS == res)
g_ptr_array_add(priv->trusted_ca_list, cert);
g_free(contents);
g_free(cert_path);
}
g_dir_close(dir);
}
else
{
g_error_free(error);
}
g_free(user_certs_dir);
g_io_scheduler_job_send_to_mainloop_async(job,
start_verification, self, NULL);
return FALSE;
}
/* Load the certificate and the private key.
*/
static void
load_keys (void)
{
unsigned int crt_num;
int ret;
gnutls_datum_t data;
if (x509_certfile != NULL && x509_keyfile != NULL)
{
data = load_file (x509_certfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
crt_num = MAX_CRT;
ret =
gnutls_x509_crt_list_import (x509_crt, &crt_num, &data,
GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
if (ret < 0)
{
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
fprintf (stderr,
"*** Error loading cert file: Too many certs %d\n",
crt_num);
}
else
{
fprintf (stderr,
"*** Error loading cert file: %s\n",
gnutls_strerror (ret));
}
exit (1);
}
x509_crt_size = ret;
fprintf (stderr, "Processed %d client certificates...\n", ret);
unload_file (data);
data = load_file (x509_keyfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading key file.\n");
exit (1);
}
gnutls_x509_privkey_init (&x509_key);
ret = gnutls_x509_privkey_import (x509_key, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (data);
fprintf (stderr, "Processed %d client X.509 certificates...\n",
x509_crt_size);
}
#ifdef ENABLE_OPENPGP
if (pgp_certfile != NULL && pgp_keyfile != NULL)
{
data = load_file (pgp_certfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading PGP cert file.\n");
exit (1);
}
gnutls_openpgp_crt_init (&pgp_crt);
ret =
gnutls_openpgp_crt_import (pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64);
if (ret < 0)
{
fprintf (stderr,
"*** Error loading PGP cert file: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (data);
data = load_file (pgp_keyfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading PGP key file.\n");
exit (1);
}
gnutls_openpgp_privkey_init (&pgp_key);
ret =
gnutls_openpgp_privkey_import (pgp_key, &data,
GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);
if (ret < 0)
{
fprintf (stderr,
"*** Error loading PGP key file: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (data);
if (info.pgp_subkey != NULL)
{
gnutls_openpgp_keyid_t keyid;
if (strcasecmp (info.pgp_subkey, "auto") == 0)
{
ret = gnutls_openpgp_crt_get_auth_subkey (pgp_crt, keyid, 1);
if (ret < 0)
{
fprintf (stderr,
"*** Error setting preferred sub key id (%s): %s\n",
info.pgp_subkey, gnutls_strerror (ret));
exit (1);
}
}
else
get_keyid (keyid, info.pgp_subkey);
ret = gnutls_openpgp_crt_set_preferred_key_id (pgp_crt, keyid);
if (ret >= 0)
ret =
gnutls_openpgp_privkey_set_preferred_key_id (pgp_key, keyid);
if (ret < 0)
{
fprintf (stderr,
"*** Error setting preferred sub key id (%s): %s\n",
info.pgp_subkey, gnutls_strerror (ret));
exit (1);
}
}
fprintf (stderr, "Processed 1 client PGP certificate...\n");
}
#endif
}
void doit(void)
{
gnutls_certificate_credentials_t x509_cred;
int ret;
unsigned int i;
gnutls_x509_crt_t issuer;
gnutls_x509_crt_t list[LIST_SIZE];
char dn[128];
size_t dn_size;
unsigned int list_size;
size_t buf_size;
gnutls_x509_privkey_t get_key;
gnutls_x509_crt_t *get_crts;
unsigned n_get_crts;
gnutls_datum_t get_datum, chain_datum[2] = {server_ca3_cert, subca3_cert};
gnutls_x509_trust_list_t trust_list;
gnutls_x509_trust_list_iter_t trust_iter;
gnutls_x509_crt_t get_ca_crt;
unsigned n_get_ca_crts;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
gnutls_certificate_allocate_credentials(&x509_cred);
gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert,
GNUTLS_X509_FMT_PEM);
gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_cert_chain,
&server_ca3_key,
GNUTLS_X509_FMT_PEM);
/* test for gnutls_certificate_get_issuer() */
/* check whether gnutls_x509_crt_list_import will fail if given a single
* certificate */
list_size = LIST_SIZE;
ret =
gnutls_x509_crt_list_import(list, &list_size, &ca3_cert,
GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret < 0)
fail("gnutls_x509_crt_list_import (failed with a single cert)");
gnutls_x509_crt_deinit(list[0]);
list_size = LIST_SIZE;
ret =
gnutls_x509_crt_list_import(list, &list_size, &cli_ca3_cert_chain,
GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret < 0)
fail("gnutls_x509_crt_list_import");
ret =
gnutls_certificate_get_issuer(x509_cred, list[list_size-1], &issuer, 0);
if (ret < 0)
fail("gnutls_certificate_get_isser");
ret =
gnutls_certificate_get_issuer(x509_cred, list[list_size-1], &issuer, GNUTLS_TL_GET_COPY);
if (ret < 0)
fail("gnutls_certificate_get_isser");
dn_size = sizeof(dn);
ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size);
if (ret < 0)
fail("gnutls_certificate_get_dn");
gnutls_x509_crt_deinit(issuer);
if (dn_size != strlen(dn)) {
fail("gnutls_x509_crt_get_dn: lengths don't match\n");
exit(1);
}
if (debug)
fprintf(stderr, "Issuer's DN: %s\n", dn);
/* test the getter functions of gnutls_certificate_credentials_t */
ret =
gnutls_certificate_get_x509_key(x509_cred, 0, &get_key);
if (ret < 0)
fail("gnutls_certificate_get_x509_key");
ret =
gnutls_x509_privkey_export2(get_key,
GNUTLS_X509_FMT_PEM,
&get_datum);
if (ret < 0)
fail("gnutls_x509_privkey_export2");
if (get_datum.size != server_ca3_key.size ||
memcmp(get_datum.data, server_ca3_key.data, get_datum.size) != 0) {
fail(
"exported key %u vs. %u\n\n%s\n\nvs.\n\n%s",
get_datum.size, server_ca3_key.size,
get_datum.data, server_ca3_key.data);
}
if (strlen((char*)get_datum.data) != get_datum.size) {
fail("exported key %u vs. %u\n\n%s\n",
get_datum.size, (unsigned)strlen((char*)get_datum.data),
get_datum.data);
}
gnutls_free(get_datum.data);
buf_size = sizeof(buf);
ret =
gnutls_x509_privkey_export(get_key,
GNUTLS_X509_FMT_PEM,
buf, &buf_size);
if (ret < 0)
fail("gnutls_x509_privkey_export");
if (buf_size != get_datum.size ||
buf_size != strlen(buf) ||
memcmp(buf, server_ca3_key.data, buf_size) != 0) {
fail(
"exported key %u vs. %u\n\n%s\n\nvs.\n\n%s",
(int)buf_size, server_ca3_key.size,
buf, server_ca3_key.data);
}
ret =
gnutls_certificate_get_x509_crt(x509_cred, 0, &get_crts, &n_get_crts);
if (ret < 0)
fail("gnutls_certificate_get_x509_crt");
if (n_get_crts != 2)
fail("gnutls_certificate_get_x509_crt: n_crts != 2");
for (i = 0; i < n_get_crts; i++) {
ret =
gnutls_x509_crt_export2(get_crts[i],
GNUTLS_X509_FMT_PEM,
&get_datum);
if (ret < 0)
fail("gnutls_x509_crt_export2");
if (get_datum.size != chain_datum[i].size ||
memcmp(get_datum.data, chain_datum[i].data, get_datum.size) != 0) {
fail(
"exported certificate %u vs. %u\n\n%s\n\nvs.\n\n%s",
get_datum.size, chain_datum[i].size,
get_datum.data, chain_datum[i].data);
}
gnutls_free(get_datum.data);
}
gnutls_certificate_get_trust_list(x509_cred, &trust_list);
n_get_ca_crts = 0;
trust_iter = NULL;
while (gnutls_x509_trust_list_iter_get_ca(trust_list,
&trust_iter,
&get_ca_crt) !=
GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
ret =
gnutls_x509_crt_export2(get_ca_crt,
GNUTLS_X509_FMT_PEM,
&get_datum);
if (ret < 0)
fail("gnutls_x509_crt_export2");
if (get_datum.size != ca3_cert.size ||
memcmp(get_datum.data, ca3_cert.data, get_datum.size) != 0) {
fail(
"exported CA certificate %u vs. %u\n\n%s\n\nvs.\n\n%s",
get_datum.size, ca3_cert.size,
get_datum.data, ca3_cert.data);
}
gnutls_x509_crt_deinit(get_ca_crt);
gnutls_free(get_datum.data);
++n_get_ca_crts;
}
if (n_get_ca_crts != 1)
fail("gnutls_x509_trust_list_iter_get_ca: n_cas != 1");
if (trust_iter != NULL)
fail("gnutls_x509_trust_list_iter_get_ca: iterator not NULL after iteration");
gnutls_x509_privkey_deinit(get_key);
for (i = 0; i < n_get_crts; i++)
gnutls_x509_crt_deinit(get_crts[i]);
gnutls_free(get_crts);
for (i = 0; i < list_size; i++)
gnutls_x509_crt_deinit(list[i]);
gnutls_certificate_free_credentials(x509_cred);
gnutls_global_deinit();
if (debug)
success("success");
}
/*
* initialize a new TLS context
*/
static int
tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
{
tlsg_ctx *ctx = lo->ldo_tls_ctx;
int rc;
if ( lo->ldo_tls_ciphersuite &&
tlsg_parse_ciphers( ctx, lt->lt_ciphersuite )) {
Debug( LDAP_DEBUG_ANY,
"TLS: could not set cipher list %s.\n",
lo->ldo_tls_ciphersuite, 0, 0 );
return -1;
}
if (lo->ldo_tls_cacertdir != NULL) {
Debug( LDAP_DEBUG_ANY,
"TLS: warning: cacertdir not implemented for gnutls\n",
NULL, NULL, NULL );
}
if (lo->ldo_tls_cacertfile != NULL) {
rc = gnutls_certificate_set_x509_trust_file(
ctx->cred,
lt->lt_cacertfile,
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
}
if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
gnutls_x509_privkey_t key;
gnutls_datum_t buf;
gnutls_x509_crt_t certs[VERIFY_DEPTH];
unsigned int max = VERIFY_DEPTH;
rc = gnutls_x509_privkey_init( &key );
if ( rc ) return -1;
/* OpenSSL builds the cert chain for us, but GnuTLS
* expects it to be present in the certfile. If it's
* not, we have to build it ourselves. So we have to
* do some special checks here...
*/
rc = tlsg_getfile( lt->lt_keyfile, &buf );
if ( rc ) return -1;
rc = gnutls_x509_privkey_import( key, &buf,
GNUTLS_X509_FMT_PEM );
LDAP_FREE( buf.data );
if ( rc < 0 ) return rc;
rc = tlsg_getfile( lt->lt_certfile, &buf );
if ( rc ) return -1;
rc = gnutls_x509_crt_list_import( certs, &max, &buf,
GNUTLS_X509_FMT_PEM, 0 );
LDAP_FREE( buf.data );
if ( rc < 0 ) return rc;
/* If there's only one cert and it's not self-signed,
* then we have to build the cert chain.
*/
if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
gnutls_x509_crt_t *cas;
unsigned int i, j, ncas;
gnutls_certificate_get_x509_cas( ctx->cred, &cas, &ncas );
for ( i = 1; i<VERIFY_DEPTH; i++ ) {
for ( j = 0; j<ncas; j++ ) {
if ( gnutls_x509_crt_check_issuer( certs[i-1], cas[j] )) {
certs[i] = cas[j];
max++;
/* If this CA is self-signed, we're done */
if ( gnutls_x509_crt_check_issuer( cas[j], cas[j] ))
j = ncas;
break;
}
}
/* only continue if we found a CA and it was not self-signed */
if ( j == ncas )
break;
}
}
rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
if ( rc ) return -1;
} else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
Debug( LDAP_DEBUG_ANY,
"TLS: only one of certfile and keyfile specified\n",
NULL, NULL, NULL );
return -1;
}
if ( lo->ldo_tls_dhfile ) {
Debug( LDAP_DEBUG_ANY,
"TLS: warning: ignoring dhfile\n",
NULL, NULL, NULL );
}
if ( lo->ldo_tls_crlfile ) {
rc = gnutls_certificate_set_x509_crl_file(
ctx->cred,
lt->lt_crlfile,
GNUTLS_X509_FMT_PEM );
if ( rc < 0 ) return -1;
rc = 0;
}
/* FIXME: ITS#5992 - this should go be configurable,
* and V1 CA certs should be phased out ASAP.
*/
gnutls_certificate_set_verify_flags( ctx->cred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
if ( is_server ) {
gnutls_dh_params_init(&ctx->dh_params);
gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
}
return 0;
}
/* Load the certificate and the private key.
*/
static void
load_keys (void)
{
unsigned int crt_num;
int ret, i;
gnutls_datum_t data = { NULL, 0 };
gnutls_x509_crt_t crt_list[MAX_CRT];
#ifdef ENABLE_PKCS11
gnutls_pkcs11_privkey_t pkcs11_key;
#endif
gnutls_x509_privkey_t tmp_key;
unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE];
if (x509_certfile != NULL && x509_keyfile != NULL)
{
#ifdef ENABLE_PKCS11
if (strncmp (x509_certfile, "pkcs11:", 7) == 0)
{
crt_num = 1;
gnutls_x509_crt_init (&crt_list[0]);
ret =
gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, 0);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
ret =
gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile,
GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
x509_crt_size = 1;
}
else
#endif /* ENABLE_PKCS11 */
{
data = load_file (x509_certfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
crt_num = MAX_CRT;
ret =
gnutls_x509_crt_list_import (crt_list, &crt_num, &data,
GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
if (ret < 0)
{
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
fprintf (stderr,
"*** Error loading cert file: Too many certs %d\n",
crt_num);
}
else
{
fprintf (stderr,
"*** Error loading cert file: %s\n",
gnutls_strerror (ret));
}
exit (1);
}
x509_crt_size = ret;
}
for (i=0;i<x509_crt_size;i++)
{
ret = gnutls_pcert_import_x509(&x509_crt[i], crt_list[i], 0);
if (ret < 0)
{
fprintf(stderr, "*** Error importing crt to pcert: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_deinit(crt_list[i]);
}
unload_file (&data);
ret = gnutls_privkey_init(&x509_key);
if (ret < 0)
{
fprintf (stderr, "*** Error initializing key: %s\n",
gnutls_strerror (ret));
exit (1);
}
#ifdef ENABLE_PKCS11
if (strncmp (x509_keyfile, "pkcs11:", 7) == 0)
{
gnutls_pkcs11_privkey_init (&pkcs11_key);
ret =
gnutls_pkcs11_privkey_import_url (pkcs11_key, x509_keyfile, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_privkey_import_pkcs11( x509_key, pkcs11_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
}
else
#endif /* ENABLE_PKCS11 */
{
data = load_file (x509_keyfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading key file.\n");
exit (1);
}
gnutls_x509_privkey_init (&tmp_key);
ret =
gnutls_x509_privkey_import (tmp_key, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file: %s\n",
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_privkey_import_x509( x509_key, tmp_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (&data);
}
fprintf (stdout, "Processed %d client X.509 certificates...\n",
x509_crt_size);
}
#ifdef ENABLE_OPENPGP
if (info.pgp_subkey != NULL)
{
get_keyid (keyid, info.pgp_subkey);
}
if (pgp_certfile != NULL && pgp_keyfile != NULL)
{
gnutls_openpgp_crt_t tmp_pgp_crt;
data = load_file (pgp_certfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading PGP cert file.\n");
exit (1);
}
gnutls_openpgp_crt_init (&tmp_pgp_crt);
ret =
gnutls_pcert_import_openpgp_raw (&pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64, info.pgp_subkey!=NULL?keyid:NULL, 0);
if (ret < 0)
{
fprintf (stderr,
"*** Error loading PGP cert file: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (&data);
ret = gnutls_privkey_init(&pgp_key);
if (ret < 0)
{
fprintf (stderr, "*** Error initializing key: %s\n",
gnutls_strerror (ret));
exit (1);
}
#ifdef ENABLE_PKCS11
if (strncmp (pgp_keyfile, "pkcs11:", 7) == 0)
{
gnutls_pkcs11_privkey_init (&pkcs11_key);
ret = gnutls_pkcs11_privkey_import_url (pkcs11_key, pgp_keyfile, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
ret = gnutls_privkey_import_pkcs11( pgp_key, pkcs11_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
}
else
#endif /* ENABLE_PKCS11 */
{
gnutls_openpgp_privkey_t tmp_pgp_key;
data = load_file (pgp_keyfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading PGP key file.\n");
exit (1);
}
gnutls_openpgp_privkey_init (&tmp_pgp_key);
ret =
gnutls_openpgp_privkey_import (tmp_pgp_key, &data,
GNUTLS_OPENPGP_FMT_BASE64, NULL,
0);
if (ret < 0)
{
fprintf (stderr,
"*** Error loading PGP key file: %s\n",
gnutls_strerror (ret));
exit (1);
}
if (info.pgp_subkey != NULL)
{
ret =
gnutls_openpgp_privkey_set_preferred_key_id (tmp_pgp_key, keyid);
if (ret < 0)
{
fprintf (stderr,
"*** Error setting preferred sub key id (%s): %s\n",
info.pgp_subkey, gnutls_strerror (ret));
exit (1);
}
}
ret = gnutls_privkey_import_openpgp( pgp_key, tmp_pgp_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (&data);
}
fprintf (stdout, "Processed 1 client PGP certificate...\n");
}
#endif
}
int _requiem_tls_crt_list_import(gnutls_x509_crt *certs, unsigned int *cmax,
const gnutls_datum *indata, gnutls_x509_crt_fmt format)
{
return gnutls_x509_crt_list_import(certs, cmax, indata, format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
}
int main (int argc, char **argv) {
/* Local Vars */
int ret;
int i;
unsigned int len;
gnutls_x509_crt_t cert[1];
char *subject = NULL;
size_t subject_len;
time_t expiration_time, activation_time;
/* Set signal handling and alarm */
if (signal (SIGALRM, timeout_alarm_handler) == SIG_ERR)
critical("Setup SIGALRM trap failed!");
/* Process check arguments */
if (process_arguments(argc, argv) != OK)
unknown("Parsing arguments failed!");
/* Start plugin timeout */
alarm(mp_timeout);
/* Init GnuTLS */
gnutls_global_init();
for(i = 0; i < cert_files; i++) {
if (mp_verbose)
printf("Cert: %s\n", cert_file[i]);
/* Read the Cert */
gnutls_datum_t data = { NULL, 0 };
ret = mp_slurp(cert_file[i], &(data.data));
data.size = ret;
if (ret <= 0) {
set_critical("Error loading cert file '%s'.", cert_file[i]);
continue;
}
/* Load the Cert to a list. */
len = 1;
ret = gnutls_x509_crt_list_import(cert, &len, &data,
GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
if (ret < 0) {
set_critical("%s error: %s", cert_file[i], gnutls_strerror(ret));
continue;
};
/* Read der Cert CN */
if (subject == NULL) {
subject = mp_malloc(128);
subject_len = 128;
}
ret = gnutls_x509_crt_get_dn_by_oid(cert[0],
GNUTLS_OID_X520_COMMON_NAME, 0, 0,
subject, &subject_len);
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
subject_len+=1;
subject = mp_realloc(subject, subject_len);
ret = gnutls_x509_crt_get_dn_by_oid(cert[0],
GNUTLS_OID_X520_COMMON_NAME, 0, 0,
subject, &subject_len);
}
if (ret != 0) {
set_critical("%s error: %s", cert_file[i], gnutls_strerror(ret));
continue;
}
if (mp_verbose) {
printf(" * Subject: %s\n", subject);
}
/* Check expire time */
expiration_time = gnutls_x509_crt_get_expiration_time (cert[0]);
activation_time = gnutls_x509_crt_get_activation_time (cert[0]);
if (mp_verbose) {
printf (" * Certificate is valid since: %s", ctime (&activation_time));
printf (" * Certificate expires: %s", ctime (&expiration_time));
}
int days = (int)difftime(expiration_time, time(0))/86400;
switch (get_status((expiration_time-time(0)), expire_thresholds)) {
case STATE_OK:
set_ok(cert_file[i]);
break;
case STATE_WARNING:
set_warning("%s expires in %d day%s", cert_file[i], days, days==1?"":"s");
break;
case STATE_CRITICAL:
set_critical("%s expires in %d day%s", cert_file[i], days, days==1?"":"s");
break;
}
if (activation_time > time(0)) {
int days = (int)difftime(activation_time, time(0))/86400;
set_critical("%s activates in %d day%s", cert_file[i], days, days==1?"":"s");
}
}
// Dissconnect
gnutls_global_deinit ();
mp_exit("X509");
}
int
rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list)
{
int ret;
const char *err;
gnutls_datum_t *d_cert, *d_key;
if(cert == NULL)
{
rb_lib_log("rb_setup_ssl_server: No certificate file");
return 0;
}
if((d_cert = rb_load_file_into_datum_t(cert)) == NULL)
{
rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno));
return 0;
}
if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL)
{
rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno));
return 0;
}
/* In addition to creating the certificate set, we also need to store our cert elsewhere
* so we can force GnuTLS to identify with it when acting as a client.
*/
gnutls_x509_privkey_init(&x509_key);
if ((ret = gnutls_x509_privkey_import(x509_key, d_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
{
rb_lib_log("rb_setup_ssl_server: Error loading key file: %s", gnutls_strerror(ret));
return 0;
}
x509_cert_count = MAX_CERTS;
if ((ret = gnutls_x509_crt_list_import(x509_cert, &x509_cert_count, d_cert, GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) < 0)
{
rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", gnutls_strerror(ret));
return 0;
}
x509_cert_count = ret;
if((ret =
gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key,
GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS)
{
rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s",
gnutls_strerror(ret));
return 0;
}
rb_free_datum_t(d_cert);
rb_free_datum_t(d_key);
if(dhfile != NULL)
{
if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS)
{
gnutls_datum_t *data;
int xret;
data = rb_load_file_into_datum_t(dhfile);
if(data != NULL)
{
xret = gnutls_dh_params_import_pkcs3(dh_params, data,
GNUTLS_X509_FMT_PEM);
if(xret < 0)
rb_lib_log
("rb_setup_ssl_server: Error parsing DH file: %s\n",
gnutls_strerror(xret));
rb_free_datum_t(data);
}
gnutls_certificate_set_dh_params(x509, dh_params);
}
else
rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters");
}
ret = gnutls_priority_init(&default_priority, cipher_list, &err);
if (ret < 0)
{
rb_lib_log("rb_setup_ssl_server: syntax error (using defaults instead) in ssl cipher list at: %s", err);
gnutls_priority_init(&default_priority, NULL, &err);
return 1;
}
return 1;
}
/* Load the certificate and the private key.
*/
static void
load_keys (void)
{
unsigned int crt_num;
int ret;
unsigned int i;
gnutls_datum_t data = { NULL, 0 };
gnutls_x509_crt_t crt_list[MAX_CRT];
unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE];
if (x509_certfile != NULL && x509_keyfile != NULL)
{
#ifdef ENABLE_PKCS11
if (strncmp (x509_certfile, "pkcs11:", 7) == 0)
{
crt_num = 1;
gnutls_x509_crt_init (&crt_list[0]);
gnutls_x509_crt_set_pin_function(crt_list[0], pin_callback, NULL);
ret =
gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, 0);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
ret =
gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile,
GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
x509_crt_size = 1;
}
else
#endif /* ENABLE_PKCS11 */
{
ret = gnutls_load_file (x509_certfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
crt_num = MAX_CRT;
ret =
gnutls_x509_crt_list_import (crt_list, &crt_num, &data,
x509ctype,
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
if (ret < 0)
{
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
fprintf (stderr,
"*** Error loading cert file: Too many certs %d\n",
crt_num);
}
else
{
fprintf (stderr,
"*** Error loading cert file: %s\n",
gnutls_strerror (ret));
}
exit (1);
}
x509_crt_size = ret;
}
for (i=0;i<x509_crt_size;i++)
{
ret = gnutls_pcert_import_x509(&x509_crt[i], crt_list[i], 0);
if (ret < 0)
{
fprintf(stderr, "*** Error importing crt to pcert: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_deinit(crt_list[i]);
}
gnutls_free (data.data);
ret = gnutls_privkey_init(&x509_key);
if (ret < 0)
{
fprintf (stderr, "*** Error initializing key: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_privkey_set_pin_function(x509_key, pin_callback, NULL);
if (gnutls_url_is_supported(x509_keyfile) != 0)
{
ret =
gnutls_privkey_import_url (x509_key, x509_keyfile, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
}
else
{
ret = gnutls_load_file (x509_keyfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file.\n");
exit (1);
}
ret = gnutls_privkey_import_x509_raw( x509_key, &data, x509ctype, NULL, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_free(data.data);
}
fprintf (stdout, "Processed %d client X.509 certificates...\n",
x509_crt_size);
}
#ifdef ENABLE_OPENPGP
if (HAVE_OPT(PGPSUBKEY))
{
get_keyid (keyid, OPT_ARG(PGPSUBKEY));
}
if (pgp_certfile != NULL && pgp_keyfile != NULL)
{
gnutls_openpgp_crt_t tmp_pgp_crt;
ret = gnutls_load_file (pgp_certfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading PGP cert file.\n");
exit (1);
}
gnutls_openpgp_crt_init (&tmp_pgp_crt);
ret =
gnutls_pcert_import_openpgp_raw (&pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64, HAVE_OPT(PGPSUBKEY)?keyid:NULL, 0);
if (ret < 0)
{
fprintf (stderr,
"*** Error loading PGP cert file: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_free (data.data);
ret = gnutls_privkey_init(&pgp_key);
if (ret < 0)
{
fprintf (stderr, "*** Error initializing key: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_privkey_set_pin_function(pgp_key, pin_callback, NULL);
if (gnutls_url_is_supported (pgp_keyfile))
{
ret = gnutls_privkey_import_url( pgp_key, pgp_keyfile, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
}
else
{
ret = gnutls_load_file (pgp_keyfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file.\n");
exit (1);
}
if (HAVE_OPT(PGPSUBKEY))
ret = gnutls_privkey_import_openpgp_raw( pgp_key, &data, x509ctype, keyid, NULL);
else
ret = gnutls_privkey_import_openpgp_raw( pgp_key, &data, x509ctype, NULL, NULL);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_free(data.data);
}
fprintf (stdout, "Processed 1 client PGP certificate...\n");
}
#endif
}
