/*-
* gnutls_openpgp_get_raw_key_expiration_time:
* @cert: the raw data that contains the OpenPGP public key.
*
* Returns the time when the OpenPGP key expires. A value of '0' means
* that the key doesn't expire at all.
-*/
time_t
_gnutls_openpgp_get_raw_key_expiration_time(const gnutls_datum_t * cert)
{
gnutls_openpgp_crt_t key;
int ret;
time_t tim;
ret = gnutls_openpgp_crt_init(&key);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret = gnutls_openpgp_crt_import(key, cert, GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0) {
gnutls_assert();
return ret;
}
tim = gnutls_openpgp_crt_get_expiration_time(key);
gnutls_openpgp_crt_deinit(key);
return tim;
}
static void print_openpgp_info_compact(gnutls_session_t session)
{
gnutls_openpgp_crt_t crt;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int ret;
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
if (cert_list_size > 0) {
gnutls_datum_t cinfo;
gnutls_openpgp_crt_init(&crt);
ret = gnutls_openpgp_crt_import(crt, &cert_list[0],
GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0) {
fprintf(stderr, "Decoding error: %s\n",
gnutls_strerror(ret));
return;
}
ret =
gnutls_openpgp_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT,
&cinfo);
if (ret == 0) {
printf("- OpenPGP cert: %s\n", cinfo.data);
gnutls_free(cinfo.data);
}
gnutls_openpgp_crt_deinit(crt);
}
}
/*-
* gnutls_openpgp_fingerprint:
* @cert: the raw data that contains the OpenPGP public key.
* @fpr: the buffer to save the fingerprint.
* @fprlen: the integer to save the length of the fingerprint.
*
* Returns the fingerprint of the OpenPGP key. Depence on the algorithm,
* the fingerprint can be 16 or 20 bytes.
-*/
int
_gnutls_openpgp_fingerprint(const gnutls_datum_t * cert,
unsigned char *fpr, size_t * fprlen)
{
gnutls_openpgp_crt_t key;
int ret;
ret = gnutls_openpgp_crt_init(&key);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret = gnutls_openpgp_crt_import(key, cert, GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret = gnutls_openpgp_crt_get_fingerprint(key, fpr, fprlen);
gnutls_openpgp_crt_deinit(key);
if (ret < 0) {
gnutls_assert();
return ret;
}
return 0;
}
/* returns true or false, depending on whether the hostname
* matches to certificate */
static int
verify_openpgp_hostname (gnutls_session_t session, const char *hostname)
{
gnutls_openpgp_crt_t crt;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int ret;
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list_size == 0)
{
fprintf (stderr, "No certificates found!\n");
return 0;
}
gnutls_openpgp_crt_init (&crt);
ret =
gnutls_openpgp_crt_import (crt, &cert_list[0],
GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0)
{
fprintf (stderr, "Decoding error: %s\n",
gnutls_strerror (ret));
return 0;
}
/* Check the hostname of the first certificate if it matches
* the name of the host we connected to.
*/
if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0)
{
printf
("- The hostname in the certificate does NOT match '%s'\n",
hostname);
ret = 0;
}
else
{
printf ("- The hostname in the certificate matches '%s'.\n",
hostname);
ret = 1;
}
gnutls_openpgp_crt_deinit (crt);
return ret;
}
/**
* gnutls_pcert_import_openpgp_raw:
* @pcert: The pcert structure
* @cert: The raw certificate to be imported
* @format: The format of the certificate
* @keyid: The key ID to use (NULL for the master key)
* @flags: zero for now
*
* This convenience function will import the given certificate to a
* #gnutls_pcert_st structure. The structure must be deinitialized
* afterwards using gnutls_pcert_deinit();
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int gnutls_pcert_import_openpgp_raw (gnutls_pcert_st *pcert,
const gnutls_datum_t* cert,
gnutls_openpgp_crt_fmt_t format,
gnutls_openpgp_keyid_t keyid,
unsigned int flags)
{
int ret;
gnutls_openpgp_crt_t crt;
memset(pcert, 0, sizeof(*pcert));
pcert->cert.data = NULL;
ret = gnutls_openpgp_crt_init(&crt);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_openpgp_crt_import(crt, cert, format);
if (ret < 0)
{
ret = gnutls_assert_val(ret);
goto cleanup;
}
if (keyid != NULL)
{
ret = gnutls_openpgp_crt_set_preferred_key_id(crt, keyid);
if (ret < 0)
{
ret = gnutls_assert_val(ret);
goto cleanup;
}
}
ret = gnutls_pcert_import_openpgp(pcert, crt, flags);
if (ret < 0)
{
ret = gnutls_assert_val(ret);
goto cleanup;
}
ret = 0;
cleanup:
gnutls_openpgp_crt_deinit(crt);
return ret;
}
/*-
* _gnutls_openpgp_raw_crt_to_gcert - Converts raw OpenPGP data to GnuTLS certs
* @cert: the certificate to store the data.
* @raw: the buffer which contains the whole OpenPGP key packets.
*
* The RFC2440 (OpenPGP Message Format) data is converted to a GnuTLS
* specific certificate.
-*/
int
_gnutls_openpgp_raw_crt_to_gcert (gnutls_cert * gcert,
const gnutls_datum_t * raw,
const gnutls_openpgp_keyid_t keyid)
{
gnutls_openpgp_crt_t pcrt;
int ret;
ret = gnutls_openpgp_crt_init (&pcrt);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = gnutls_openpgp_crt_import (pcrt, raw, GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0)
{
gnutls_assert ();
gnutls_openpgp_crt_deinit (pcrt);
return ret;
}
if (keyid != NULL)
{
ret = gnutls_openpgp_crt_set_preferred_key_id (pcrt, keyid);
if (ret < 0)
{
gnutls_assert ();
gnutls_openpgp_crt_deinit (pcrt);
return ret;
}
}
ret = _gnutls_openpgp_crt_to_gcert (gcert, pcrt);
gnutls_openpgp_crt_deinit (pcrt);
return ret;
}
static void
print_openpgp_info (gnutls_session_t session, int flag, int print_cert)
{
gnutls_openpgp_crt_t crt;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int ret;
printf ("- Certificate type: OpenPGP\n");
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list_size > 0)
{
gnutls_datum_t cinfo;
gnutls_openpgp_crt_init (&crt);
ret = gnutls_openpgp_crt_import (crt, &cert_list[0],
GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0)
{
fprintf (stderr, "Decoding error: %s\n",
gnutls_strerror (ret));
return;
}
ret =
gnutls_openpgp_crt_print (crt, flag, &cinfo);
if (ret == 0)
{
printf ("- %s\n", cinfo.data);
gnutls_free (cinfo.data);
}
if (print_cert)
{
size_t size = 0;
char *p = NULL;
ret =
gnutls_openpgp_crt_export (crt,
GNUTLS_OPENPGP_FMT_BASE64,
p, &size);
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
p = malloc (size);
if (!p)
{
fprintf (stderr, "gnutls_malloc\n");
exit (1);
}
ret =
gnutls_openpgp_crt_export (crt,
GNUTLS_OPENPGP_FMT_BASE64,
p, &size);
}
if (ret < 0)
{
fprintf (stderr, "Encoding error: %s\n",
gnutls_strerror (ret));
return;
}
fputs (p, stdout);
fputs ("\n", stdout);
gnutls_free (p);
}
gnutls_openpgp_crt_deinit (crt);
}
}
/* Load the certificate and the private key.
*/
static void
load_keys (void)
{
unsigned int crt_num;
int ret;
gnutls_datum_t data;
if (x509_certfile != NULL && x509_keyfile != NULL)
{
data = load_file (x509_certfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
crt_num = MAX_CRT;
ret =
gnutls_x509_crt_list_import (x509_crt, &crt_num, &data,
GNUTLS_X509_FMT_PEM,
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
if (ret < 0)
{
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
fprintf (stderr,
"*** Error loading cert file: Too many certs %d\n",
crt_num);
}
else
{
fprintf (stderr,
"*** Error loading cert file: %s\n",
gnutls_strerror (ret));
}
exit (1);
}
x509_crt_size = ret;
fprintf (stderr, "Processed %d client certificates...\n", ret);
unload_file (data);
data = load_file (x509_keyfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading key file.\n");
exit (1);
}
gnutls_x509_privkey_init (&x509_key);
ret = gnutls_x509_privkey_import (x509_key, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (data);
fprintf (stderr, "Processed %d client X.509 certificates...\n",
x509_crt_size);
}
#ifdef ENABLE_OPENPGP
if (pgp_certfile != NULL && pgp_keyfile != NULL)
{
data = load_file (pgp_certfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading PGP cert file.\n");
exit (1);
}
gnutls_openpgp_crt_init (&pgp_crt);
ret =
gnutls_openpgp_crt_import (pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64);
if (ret < 0)
{
fprintf (stderr,
"*** Error loading PGP cert file: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (data);
data = load_file (pgp_keyfile);
if (data.data == NULL)
{
fprintf (stderr, "*** Error loading PGP key file.\n");
exit (1);
}
gnutls_openpgp_privkey_init (&pgp_key);
ret =
gnutls_openpgp_privkey_import (pgp_key, &data,
GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);
if (ret < 0)
{
fprintf (stderr,
"*** Error loading PGP key file: %s\n",
gnutls_strerror (ret));
exit (1);
}
unload_file (data);
if (info.pgp_subkey != NULL)
{
gnutls_openpgp_keyid_t keyid;
if (strcasecmp (info.pgp_subkey, "auto") == 0)
{
ret = gnutls_openpgp_crt_get_auth_subkey (pgp_crt, keyid, 1);
if (ret < 0)
{
fprintf (stderr,
"*** Error setting preferred sub key id (%s): %s\n",
info.pgp_subkey, gnutls_strerror (ret));
exit (1);
}
}
else
get_keyid (keyid, info.pgp_subkey);
ret = gnutls_openpgp_crt_set_preferred_key_id (pgp_crt, keyid);
if (ret >= 0)
ret =
gnutls_openpgp_privkey_set_preferred_key_id (pgp_key, keyid);
if (ret < 0)
{
fprintf (stderr,
"*** Error setting preferred sub key id (%s): %s\n",
info.pgp_subkey, gnutls_strerror (ret));
exit (1);
}
}
fprintf (stderr, "Processed 1 client PGP certificate...\n");
}
#endif
}
/*-
* gnutls_openpgp_verify_key:
* @hostname: the name of the certificate holder
* @cert_list: the structure that holds the certificates.
* @cert_list_lenght: the items in the cert_list.
* @status: the output of the verification function
*
* Verify all signatures in the certificate list. When the key
* is not available, the signature is skipped.
*
* Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
*
* NOTE: this function does not verify using any "web of trust". You
* may use GnuPG for that purpose, or any other external PGP application.
-*/
int
_gnutls_openpgp_verify_key(const gnutls_certificate_credentials_t cred,
gnutls_x509_subject_alt_name_t type,
const char *hostname,
const gnutls_datum_t * cert_list,
int cert_list_length,
unsigned int verify_flags,
unsigned int *status)
{
int ret = 0;
gnutls_openpgp_crt_t key = NULL;
unsigned int verify = 0, verify_self = 0;
if (!cert_list || cert_list_length != 1) {
gnutls_assert();
return GNUTLS_E_NO_CERTIFICATE_FOUND;
}
ret = gnutls_openpgp_crt_init(&key);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret =
gnutls_openpgp_crt_import(key, &cert_list[0],
GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0) {
gnutls_assert();
goto leave;
}
if (cred->keyring != NULL) {
ret =
gnutls_openpgp_crt_verify_ring(key, cred->keyring, 0,
&verify);
if (ret < 0) {
gnutls_assert();
goto leave;
}
}
/* Now try the self signature. */
ret = gnutls_openpgp_crt_verify_self(key, 0, &verify_self);
if (ret < 0) {
gnutls_assert();
goto leave;
}
*status = verify_self | verify;
/* If we only checked the self signature. */
if (!cred->keyring)
*status |= GNUTLS_CERT_SIGNER_NOT_FOUND;
if (hostname) {
ret = gnutls_openpgp_crt_check_hostname2(key, hostname, verify_flags);
if (ret == 0)
*status |= GNUTLS_CERT_UNEXPECTED_OWNER;
}
ret = 0;
leave:
gnutls_openpgp_crt_deinit(key);
return ret;
}
static void
print_openpgp_info (gnutls_session_t session, const char *hostname,
int insecure)
{
gnutls_openpgp_crt_t crt;
const gnutls_datum_t *cert_list;
int cert_list_size = 0;
int hostname_ok = 0;
int ret;
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list_size > 0)
{
gnutls_datum_t cinfo;
gnutls_openpgp_crt_init (&crt);
ret = gnutls_openpgp_crt_import (crt, &cert_list[0],
GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0)
{
fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret));
return;
}
if (verbose)
ret = gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &cinfo);
else
ret =
gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_ONELINE, &cinfo);
if (ret == 0)
{
printf (" - %s\n", cinfo.data);
gnutls_free (cinfo.data);
}
if (print_cert)
{
size_t size = 0;
char *p = NULL;
ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64,
p, &size);
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
p = malloc (size);
if (!p)
{
fprintf (stderr, "gnutls_malloc\n");
exit (1);
}
ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64,
p, &size);
}
if (ret < 0)
{
fprintf (stderr, "Encoding error: %s\n", gnutls_strerror (ret));
return;
}
fputs (p, stdout);
fputs ("\n", stdout);
gnutls_free (p);
}
if (hostname != NULL)
{
/* Check the hostname of the first certificate if it matches
* the name of the host we connected to.
*/
if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0)
hostname_ok = 1;
else
hostname_ok = 2;
}
gnutls_openpgp_crt_deinit (crt);
}
if (hostname_ok == 1)
{
printf ("- The hostname in the certificate does NOT match '%s'\n",
hostname);
if (!insecure)
exit (1);
}
else if (hostname_ok == 2)
{
printf ("- The hostname in the certificate matches '%s'.\n", hostname);
}
}
void doit(void)
{
gnutls_x509_crt_t x509;
#ifdef ENABLE_OPENPGP
gnutls_openpgp_crt_t pgp;
#endif
gnutls_datum_t data;
int ret;
ret = global_init();
if (ret < 0)
fail("global_init: %d\n", ret);
ret = gnutls_x509_crt_init(&x509);
if (ret < 0)
fail("gnutls_x509_crt_init: %d\n", ret);
#ifdef ENABLE_OPENPGP
ret = gnutls_openpgp_crt_init(&pgp);
if (ret < 0)
fail("gnutls_openpgp_crt_init: %d\n", ret);
#endif
if (debug)
success("Testing wildcards...\n");
data.data = (unsigned char *) wildcards;
data.size = strlen(wildcards);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.net");
if (ret==0)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem1...\n");
data.data = (unsigned char *) pem1;
data.size = strlen(pem1);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem2...\n");
data.data = (unsigned char *) pem2;
data.size = strlen(pem2);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "*.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem3...\n");
data.data = (unsigned char *) pem3;
data.size = strlen(pem3);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "*.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem4...\n");
data.data = (unsigned char *) pem4;
data.size = strlen(pem4);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname2(x509, "www.example.org", GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo.example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
#ifdef SUPPORT_COMPLEX_WILDCARDS
if (debug)
success("Testing pem6...\n");
data.data = (unsigned char *) pem6;
data.size = strlen(pem6);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "bar.foo.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem7...\n");
data.data = (unsigned char *) pem7;
data.size = strlen(pem7);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo.bar.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret =
gnutls_x509_crt_check_hostname(x509, "foobar.bar.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foobar.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret =
gnutls_x509_crt_check_hostname(x509, "foobazbar.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
#endif
if (debug)
success("Testing pem8...\n");
data.data = (unsigned char *) pem8;
data.size = strlen(pem8);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
/* this was passing in old gnutls versions, but that was not a
* good idea. See http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380
* for a discussion. */
ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
/* this was passing in old gnutls versions, but that was not a
* good idea. See http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380
* for a discussion. */
ret = gnutls_x509_crt_check_hostname(x509, "www.example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.foo.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem9...\n");
data.data = (unsigned char *) pem9;
data.size = strlen(pem9);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "bar.example.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem10...\n");
data.data = (unsigned char *) pem10;
data.size = strlen(pem10);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "localhost");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
if (debug)
success("Testing pem_too_many...\n");
data.data = (unsigned char *) pem_too_many;
data.size = strlen(pem_too_many);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret =
gnutls_x509_crt_check_hostname(x509,
"localhost.gnutls.gnutls.org");
if (ret)
fail("%d: Hostname verification should have failed (too many wildcards)\n", __LINE__);
if (debug)
success("Testing pem-ips...\n");
data.data = (unsigned char *) pem_ips;
data.size = strlen(pem_ips);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "127.0.0.2");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "127.0.0.1");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "192.168.5.1");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "::1");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "fe80::3e97:eff:fe18:359a");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
if (debug)
success("Testing multi-cns...\n");
data.data = (unsigned char *) multi_cns;
data.size = strlen(multi_cns);
ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example2.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
ret = gnutls_x509_crt_check_hostname(x509, "www.example3.com");
if (ret)
fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);
#ifdef ENABLE_OPENPGP
if (debug)
success("Testing pem11...\n");
data.data = (unsigned char *) pem11;
data.size = strlen(pem11);
ret =
gnutls_openpgp_crt_import(pgp, &data,
GNUTLS_OPENPGP_FMT_BASE64);
if (ret < 0)
fail("%d: gnutls_openpgp_crt_import: %d\n", __LINE__, ret);
ret = gnutls_openpgp_crt_check_hostname(pgp, "test.gnutls.org");
if (!ret)
fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
gnutls_openpgp_crt_deinit(pgp);
#endif
gnutls_x509_crt_deinit(x509);
gnutls_global_deinit();
}
static int pgp_crt_to_raw_pubkey(const gnutls_datum_t * cert, gnutls_datum_t *rpubkey)
{
#ifdef ENABLE_OPENPGP
gnutls_openpgp_crt_t crt = NULL;
gnutls_pubkey_t pubkey = NULL;
size_t size;
int ret;
ret = gnutls_openpgp_crt_init(&crt);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_pubkey_init(&pubkey);
if (ret < 0)
{
gnutls_assert();
goto cleanup;
}
ret = gnutls_openpgp_crt_import(crt, cert, GNUTLS_OPENPGP_FMT_RAW);
if (ret < 0)
{
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_import_openpgp (pubkey, crt, 0);
if (ret < 0)
{
gnutls_assert();
goto cleanup;
}
size = 0;
ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, NULL, &size);
if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
gnutls_assert();
goto cleanup;
}
rpubkey->data = gnutls_malloc(size);
if (rpubkey->data == NULL)
if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
{
ret = GNUTLS_E_MEMORY_ERROR;
gnutls_assert();
goto cleanup;
}
ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, rpubkey->data, &size);
if (ret < 0)
{
gnutls_free(rpubkey->data);
gnutls_assert();
goto cleanup;
}
rpubkey->size = size;
ret = 0;
cleanup:
gnutls_openpgp_crt_deinit(crt);
gnutls_pubkey_deinit(pubkey);
return ret;
#else
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
#endif
}
void
doit (void)
{
gnutls_x509_crt_t x509;
#ifdef ENABLE_OPENPGP
gnutls_openpgp_crt_t pgp;
#endif
gnutls_datum_t data;
int ret;
ret = gnutls_global_init ();
if (ret < 0)
fail ("gnutls_global_init: %d\n", ret);
ret = gnutls_x509_crt_init (&x509);
if (ret < 0)
fail ("gnutls_x509_crt_init: %d\n", ret);
#ifdef ENABLE_OPENPGP
ret = gnutls_openpgp_crt_init (&pgp);
if (ret < 0)
fail ("gnutls_openpgp_crt_init: %d\n", ret);
#endif
if (debug)
success ("Testing pem1...\n");
data.data = pem1;
data.size = strlen (pem1);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem2...\n");
data.data = pem2;
data.size = strlen (pem2);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "*.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem3...\n");
data.data = pem3;
data.size = strlen (pem3);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "*.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem4...\n");
data.data = pem4;
data.size = strlen (pem4);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo.example.com");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem5...\n");
data.data = pem5;
data.size = strlen (pem5);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "1.2.3.4");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem6...\n");
data.data = pem6;
data.size = strlen (pem6);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "bar.foo.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
if (debug)
success ("Testing pem7...\n");
data.data = pem7;
data.size = strlen (pem7);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo.bar.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foobar.bar.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foobar.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foobazbar.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
if (debug)
success ("Testing pem8...\n");
data.data = pem8;
data.size = strlen (pem8);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.com");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "www.example.foo.com");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
if (debug)
success ("Testing pem9...\n");
data.data = pem9;
data.size = strlen (pem9);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "bar.example.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
if (debug)
success ("Testing pem10...\n");
data.data = pem10;
data.size = strlen (pem10);
ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("gnutls_x509_crt_import: %d\n", ret);
ret = gnutls_x509_crt_check_hostname (x509, "localhost");
if (ret)
fail ("Hostname incorrectly matches (%d)\n", ret);
#ifdef ENABLE_OPENPGP
if (debug)
success ("Testing pem11...\n");
data.data = pem11;
data.size = strlen (pem11);
ret = gnutls_openpgp_crt_import (pgp, &data, GNUTLS_OPENPGP_FMT_BASE64);
if (ret < 0)
fail ("gnutls_openpgp_crt_import: %d\n", ret);
ret = gnutls_openpgp_crt_check_hostname (pgp, "test.gnutls.org");
if (!ret)
fail ("Hostname incorrectly does not match (%d)\n", ret);
gnutls_openpgp_crt_deinit (pgp);
#endif
gnutls_x509_crt_deinit (x509);
gnutls_global_deinit ();
}
/**
* gnutls_certificate_set_openpgp_key_mem2 - Used to set OpenPGP keys
* @res: the destination context to save the data.
* @cert: the datum that contains the public key.
* @key: the datum that contains the secret key.
* @subkey_id: a hex encoded subkey id
* @format: the format of the keys
*
* This funtion is used to load OpenPGP keys into the GnuTLS
* credentials structure. The files should only contain one key which
* is not encrypted.
*
* The special keyword "auto" is also accepted as @subkey_id. In that
* case the gnutls_openpgp_crt_get_auth_subkey() will be used to
* retrieve the subkey.
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
*
* Since: 2.4.0
**/
int
gnutls_certificate_set_openpgp_key_mem2 (gnutls_certificate_credentials_t res,
const gnutls_datum_t * cert,
const gnutls_datum_t * key,
const char *subkey_id,
gnutls_openpgp_crt_fmt_t format)
{
gnutls_openpgp_privkey_t pkey;
gnutls_openpgp_crt_t crt;
int ret;
ret = gnutls_openpgp_privkey_init (&pkey);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = gnutls_openpgp_privkey_import (pkey, key, format, NULL, 0);
if (ret < 0)
{
gnutls_assert ();
gnutls_openpgp_privkey_deinit (pkey);
return ret;
}
ret = gnutls_openpgp_crt_init (&crt);
if (ret < 0)
{
gnutls_assert ();
gnutls_openpgp_privkey_deinit (pkey);
return ret;
}
ret = gnutls_openpgp_crt_import (crt, cert, format);
if (ret < 0)
{
gnutls_assert ();
gnutls_openpgp_privkey_deinit (pkey);
gnutls_openpgp_crt_deinit (crt);
return ret;
}
if (subkey_id != NULL)
{
gnutls_openpgp_keyid_t keyid;
if (strcasecmp (subkey_id, "auto") == 0)
ret = gnutls_openpgp_crt_get_auth_subkey (crt, keyid, 1);
else
ret = get_keyid (keyid, subkey_id);
if (ret >= 0)
{
ret = gnutls_openpgp_crt_set_preferred_key_id (crt, keyid);
if (ret >= 0)
ret = gnutls_openpgp_privkey_set_preferred_key_id (pkey, keyid);
}
if (ret < 0)
{
gnutls_assert ();
gnutls_openpgp_privkey_deinit (pkey);
gnutls_openpgp_crt_deinit (crt);
return ret;
}
}
ret = gnutls_certificate_set_openpgp_key (res, crt, pkey);
gnutls_openpgp_privkey_deinit (pkey);
gnutls_openpgp_crt_deinit (crt);
return ret;
}