Example #1
0
/*-
 * gnutls_openpgp_get_raw_key_expiration_time:
 * @cert: the raw data that contains the OpenPGP public key.
 *
 * Returns the time when the OpenPGP key expires. A value of '0' means
 * that the key doesn't expire at all.
 -*/
time_t
_gnutls_openpgp_get_raw_key_expiration_time(const gnutls_datum_t * cert)
{
	gnutls_openpgp_crt_t key;
	int ret;
	time_t tim;

	ret = gnutls_openpgp_crt_init(&key);
	if (ret < 0) {
		gnutls_assert();
		return ret;
	}

	ret = gnutls_openpgp_crt_import(key, cert, GNUTLS_OPENPGP_FMT_RAW);
	if (ret < 0) {
		gnutls_assert();
		return ret;
	}

	tim = gnutls_openpgp_crt_get_expiration_time(key);

	gnutls_openpgp_crt_deinit(key);

	return tim;
}
Example #2
0
static void print_openpgp_info_compact(gnutls_session_t session)
{

	gnutls_openpgp_crt_t crt;
	const gnutls_datum_t *cert_list;
	unsigned int cert_list_size = 0;
	int ret;

	cert_list = gnutls_certificate_get_peers(session, &cert_list_size);

	if (cert_list_size > 0) {
		gnutls_datum_t cinfo;

		gnutls_openpgp_crt_init(&crt);
		ret = gnutls_openpgp_crt_import(crt, &cert_list[0],
						GNUTLS_OPENPGP_FMT_RAW);
		if (ret < 0) {
			fprintf(stderr, "Decoding error: %s\n",
				gnutls_strerror(ret));
			return;
		}

		ret =
		    gnutls_openpgp_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT,
					     &cinfo);
		if (ret == 0) {
			printf("- OpenPGP cert: %s\n", cinfo.data);
			gnutls_free(cinfo.data);
		}

		gnutls_openpgp_crt_deinit(crt);
	}
}
Example #3
0
/*-
 * gnutls_openpgp_fingerprint:
 * @cert: the raw data that contains the OpenPGP public key.
 * @fpr: the buffer to save the fingerprint.
 * @fprlen: the integer to save the length of the fingerprint.
 *
 * Returns the fingerprint of the OpenPGP key. Depence on the algorithm,
 * the fingerprint can be 16 or 20 bytes.
 -*/
int
_gnutls_openpgp_fingerprint(const gnutls_datum_t * cert,
			    unsigned char *fpr, size_t * fprlen)
{
	gnutls_openpgp_crt_t key;
	int ret;

	ret = gnutls_openpgp_crt_init(&key);
	if (ret < 0) {
		gnutls_assert();
		return ret;
	}

	ret = gnutls_openpgp_crt_import(key, cert, GNUTLS_OPENPGP_FMT_RAW);
	if (ret < 0) {
		gnutls_assert();
		return ret;
	}

	ret = gnutls_openpgp_crt_get_fingerprint(key, fpr, fprlen);
	gnutls_openpgp_crt_deinit(key);
	if (ret < 0) {
		gnutls_assert();
		return ret;
	}

	return 0;
}
Example #4
0
/* returns true or false, depending on whether the hostname
 * matches to certificate */
static int
verify_openpgp_hostname (gnutls_session_t session, const char *hostname)
{
  gnutls_openpgp_crt_t crt;
  const gnutls_datum_t *cert_list;
  unsigned int cert_list_size = 0;
  int ret;

  cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
  if (cert_list_size == 0)
    {
      fprintf (stderr, "No certificates found!\n");
      return 0;
    }

  gnutls_openpgp_crt_init (&crt);
  ret =
      gnutls_openpgp_crt_import (crt, &cert_list[0],
                              GNUTLS_OPENPGP_FMT_RAW);
  if (ret < 0)
    {
      fprintf (stderr, "Decoding error: %s\n",
               gnutls_strerror (ret));
      return 0;
    }

  /* Check the hostname of the first certificate if it matches
   * the name of the host we connected to.
   */
  if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0)
    {
      printf
             ("- The hostname in the certificate does NOT match '%s'\n",
              hostname);
      ret = 0;
    }
  else
    {
      printf ("- The hostname in the certificate matches '%s'.\n",
              hostname);
      ret = 1;
    }

  gnutls_openpgp_crt_deinit (crt);

  return ret;
}
Example #5
0
/**
 * gnutls_pcert_import_openpgp_raw:
 * @pcert: The pcert structure
 * @cert: The raw certificate to be imported
 * @format: The format of the certificate
 * @keyid: The key ID to use (NULL for the master key)
 * @flags: zero for now
 *
 * This convenience function will import the given certificate to a
 * #gnutls_pcert_st structure. The structure must be deinitialized
 * afterwards using gnutls_pcert_deinit();
 *
 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
 *   negative error value.
 **/
int gnutls_pcert_import_openpgp_raw (gnutls_pcert_st *pcert,
	const gnutls_datum_t* cert, 
	gnutls_openpgp_crt_fmt_t format, 
	gnutls_openpgp_keyid_t keyid,
	unsigned int flags)
{
int ret;
gnutls_openpgp_crt_t crt;

  memset(pcert, 0, sizeof(*pcert));

  pcert->cert.data = NULL;

  ret = gnutls_openpgp_crt_init(&crt);
  if (ret < 0)
    return gnutls_assert_val(ret);

  ret = gnutls_openpgp_crt_import(crt, cert, format);
  if (ret < 0)
    {
      ret = gnutls_assert_val(ret);
      goto cleanup;
    }

  if (keyid != NULL)
    {
      ret = gnutls_openpgp_crt_set_preferred_key_id(crt, keyid);
      if (ret < 0)
        {
          ret = gnutls_assert_val(ret);
          goto cleanup;
        }
    }

  ret = gnutls_pcert_import_openpgp(pcert, crt, flags);
  if (ret < 0)
    {
      ret = gnutls_assert_val(ret);
      goto cleanup;
    }
  ret = 0;

cleanup:
  gnutls_openpgp_crt_deinit(crt);

  return ret;
}
Example #6
0
/*-
 * _gnutls_openpgp_raw_crt_to_gcert - Converts raw OpenPGP data to GnuTLS certs
 * @cert: the certificate to store the data.
 * @raw: the buffer which contains the whole OpenPGP key packets.
 *
 * The RFC2440 (OpenPGP Message Format) data is converted to a GnuTLS
 * specific certificate.
 -*/
int
_gnutls_openpgp_raw_crt_to_gcert (gnutls_cert * gcert,
				  const gnutls_datum_t * raw,
				  const gnutls_openpgp_keyid_t keyid)
{
  gnutls_openpgp_crt_t pcrt;
  int ret;

  ret = gnutls_openpgp_crt_init (&pcrt);
  if (ret < 0)
    {
      gnutls_assert ();
      return ret;
    }

  ret = gnutls_openpgp_crt_import (pcrt, raw, GNUTLS_OPENPGP_FMT_RAW);
  if (ret < 0)
    {
      gnutls_assert ();
      gnutls_openpgp_crt_deinit (pcrt);
      return ret;
    }

  if (keyid != NULL)
    {
      ret = gnutls_openpgp_crt_set_preferred_key_id (pcrt, keyid);
      if (ret < 0)
	{
	  gnutls_assert ();
	  gnutls_openpgp_crt_deinit (pcrt);
	  return ret;
	}
    }

  ret = _gnutls_openpgp_crt_to_gcert (gcert, pcrt);
  gnutls_openpgp_crt_deinit (pcrt);

  return ret;
}
Example #7
0
static void
print_openpgp_info (gnutls_session_t session, int flag, int print_cert)
{

    gnutls_openpgp_crt_t crt;
    const gnutls_datum_t *cert_list;
    unsigned int cert_list_size = 0;
    int ret;

    printf ("- Certificate type: OpenPGP\n");

    cert_list = gnutls_certificate_get_peers (session, &cert_list_size);

    if (cert_list_size > 0)
      {
          gnutls_datum_t cinfo;

          gnutls_openpgp_crt_init (&crt);
          ret = gnutls_openpgp_crt_import (crt, &cert_list[0],
                                           GNUTLS_OPENPGP_FMT_RAW);
          if (ret < 0)
            {
                fprintf (stderr, "Decoding error: %s\n",
                         gnutls_strerror (ret));
                return;
            }

          ret =
              gnutls_openpgp_crt_print (crt, flag, &cinfo);
          if (ret == 0)
            {
                printf ("- %s\n", cinfo.data);
                gnutls_free (cinfo.data);
            }

          if (print_cert)
            {
                size_t size = 0;
                char *p = NULL;

                ret =
                    gnutls_openpgp_crt_export (crt,
                                               GNUTLS_OPENPGP_FMT_BASE64,
                                               p, &size);
                if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
                  {
                      p = malloc (size);
                      if (!p)
                        {
                            fprintf (stderr, "gnutls_malloc\n");
                            exit (1);
                        }

                      ret =
                          gnutls_openpgp_crt_export (crt,
                                                     GNUTLS_OPENPGP_FMT_BASE64,
                                                     p, &size);
                  }
                if (ret < 0)
                  {
                      fprintf (stderr, "Encoding error: %s\n",
                               gnutls_strerror (ret));
                      return;
                  }

                fputs (p, stdout);
                fputs ("\n", stdout);

                gnutls_free (p);
            }

          gnutls_openpgp_crt_deinit (crt);
      }
}
Example #8
0
/* Load the certificate and the private key.
 */
static void
load_keys (void)
{
  unsigned int crt_num;
  int ret;
  gnutls_datum_t data;

  if (x509_certfile != NULL && x509_keyfile != NULL)
    {
      data = load_file (x509_certfile);
      if (data.data == NULL)
	{
	  fprintf (stderr, "*** Error loading cert file.\n");
	  exit (1);
	}

      crt_num = MAX_CRT;
      ret =
	gnutls_x509_crt_list_import (x509_crt, &crt_num, &data,
				     GNUTLS_X509_FMT_PEM,
				     GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
      if (ret < 0)
	{
	  if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
	    {
	      fprintf (stderr,
		       "*** Error loading cert file: Too many certs %d\n",
		       crt_num);

	    }
	  else
	    {
	      fprintf (stderr,
		       "*** Error loading cert file: %s\n",
		       gnutls_strerror (ret));
	    }
	  exit (1);
	}
      x509_crt_size = ret;
      fprintf (stderr, "Processed %d client certificates...\n", ret);

      unload_file (data);

      data = load_file (x509_keyfile);
      if (data.data == NULL)
	{
	  fprintf (stderr, "*** Error loading key file.\n");
	  exit (1);
	}

      gnutls_x509_privkey_init (&x509_key);

      ret = gnutls_x509_privkey_import (x509_key, &data, GNUTLS_X509_FMT_PEM);
      if (ret < 0)
	{
	  fprintf (stderr, "*** Error loading key file: %s\n",
		   gnutls_strerror (ret));
	  exit (1);
	}

      unload_file (data);

      fprintf (stderr, "Processed %d client X.509 certificates...\n",
	       x509_crt_size);
    }
#ifdef ENABLE_OPENPGP
  if (pgp_certfile != NULL && pgp_keyfile != NULL)
    {
      data = load_file (pgp_certfile);
      if (data.data == NULL)
	{
	  fprintf (stderr, "*** Error loading PGP cert file.\n");
	  exit (1);
	}
      gnutls_openpgp_crt_init (&pgp_crt);

      ret =
	gnutls_openpgp_crt_import (pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64);
      if (ret < 0)
	{
	  fprintf (stderr,
		   "*** Error loading PGP cert file: %s\n",
		   gnutls_strerror (ret));
	  exit (1);
	}


      unload_file (data);

      data = load_file (pgp_keyfile);
      if (data.data == NULL)
	{
	  fprintf (stderr, "*** Error loading PGP key file.\n");
	  exit (1);
	}

      gnutls_openpgp_privkey_init (&pgp_key);

      ret =
	gnutls_openpgp_privkey_import (pgp_key, &data,
				       GNUTLS_OPENPGP_FMT_BASE64, NULL, 0);
      if (ret < 0)
	{
	  fprintf (stderr,
		   "*** Error loading PGP key file: %s\n",
		   gnutls_strerror (ret));
	  exit (1);
	}

      unload_file (data);

      if (info.pgp_subkey != NULL)
	{
	  gnutls_openpgp_keyid_t keyid;

	  if (strcasecmp (info.pgp_subkey, "auto") == 0)
	    {
	      ret = gnutls_openpgp_crt_get_auth_subkey (pgp_crt, keyid, 1);
	      if (ret < 0)
		{
		  fprintf (stderr,
			   "*** Error setting preferred sub key id (%s): %s\n",
			   info.pgp_subkey, gnutls_strerror (ret));
		  exit (1);
		}
	    }
	  else
	    get_keyid (keyid, info.pgp_subkey);

	  ret = gnutls_openpgp_crt_set_preferred_key_id (pgp_crt, keyid);
	  if (ret >= 0)
	    ret =
	      gnutls_openpgp_privkey_set_preferred_key_id (pgp_key, keyid);
	  if (ret < 0)
	    {
	      fprintf (stderr,
		       "*** Error setting preferred sub key id (%s): %s\n",
		       info.pgp_subkey, gnutls_strerror (ret));
	      exit (1);
	    }
	}

      fprintf (stderr, "Processed 1 client PGP certificate...\n");
    }
#endif

}
Example #9
0
/*-
 * gnutls_openpgp_verify_key:
 * @hostname: the name of the certificate holder
 * @cert_list: the structure that holds the certificates.
 * @cert_list_lenght: the items in the cert_list.
 * @status: the output of the verification function
 *
 * Verify all signatures in the certificate list. When the key
 * is not available, the signature is skipped.
 *
 * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
 *
 * NOTE: this function does not verify using any "web of trust". You
 * may use GnuPG for that purpose, or any other external PGP application.
 -*/
int
_gnutls_openpgp_verify_key(const gnutls_certificate_credentials_t cred,
			   gnutls_x509_subject_alt_name_t type,
			   const char *hostname,
			   const gnutls_datum_t * cert_list,
			   int cert_list_length,
			   unsigned int verify_flags,
			   unsigned int *status)
{
	int ret = 0;
	gnutls_openpgp_crt_t key = NULL;
	unsigned int verify = 0, verify_self = 0;

	if (!cert_list || cert_list_length != 1) {
		gnutls_assert();
		return GNUTLS_E_NO_CERTIFICATE_FOUND;
	}

	ret = gnutls_openpgp_crt_init(&key);
	if (ret < 0) {
		gnutls_assert();
		return ret;
	}

	ret =
	    gnutls_openpgp_crt_import(key, &cert_list[0],
				      GNUTLS_OPENPGP_FMT_RAW);
	if (ret < 0) {
		gnutls_assert();
		goto leave;
	}

	if (cred->keyring != NULL) {
		ret =
		    gnutls_openpgp_crt_verify_ring(key, cred->keyring, 0,
						   &verify);
		if (ret < 0) {
			gnutls_assert();
			goto leave;
		}
	}

	/* Now try the self signature. */
	ret = gnutls_openpgp_crt_verify_self(key, 0, &verify_self);
	if (ret < 0) {
		gnutls_assert();
		goto leave;
	}

	*status = verify_self | verify;

	/* If we only checked the self signature. */
	if (!cred->keyring)
		*status |= GNUTLS_CERT_SIGNER_NOT_FOUND;

	if (hostname) {
		ret = gnutls_openpgp_crt_check_hostname2(key, hostname, verify_flags);
		if (ret == 0)
			*status |= GNUTLS_CERT_UNEXPECTED_OWNER;
	}

	ret = 0;

      leave:
	gnutls_openpgp_crt_deinit(key);

	return ret;
}
Example #10
0
File: common.c Project: sqs/gnutls
static void
print_openpgp_info (gnutls_session_t session, const char *hostname,
                    int insecure)
{

  gnutls_openpgp_crt_t crt;
  const gnutls_datum_t *cert_list;
  int cert_list_size = 0;
  int hostname_ok = 0;
  int ret;

  cert_list = gnutls_certificate_get_peers (session, &cert_list_size);

  if (cert_list_size > 0)
    {
      gnutls_datum_t cinfo;

      gnutls_openpgp_crt_init (&crt);
      ret = gnutls_openpgp_crt_import (crt, &cert_list[0],
                                       GNUTLS_OPENPGP_FMT_RAW);
      if (ret < 0)
        {
          fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret));
          return;
        }

      if (verbose)
        ret = gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &cinfo);
      else
        ret =
          gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_ONELINE, &cinfo);
      if (ret == 0)
        {
          printf (" - %s\n", cinfo.data);
          gnutls_free (cinfo.data);
        }

      if (print_cert)
        {
          size_t size = 0;
          char *p = NULL;

          ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64,
                                           p, &size);
          if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
            {
              p = malloc (size);
              if (!p)
                {
                  fprintf (stderr, "gnutls_malloc\n");
                  exit (1);
                }

              ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64,
                                               p, &size);
            }
          if (ret < 0)
            {
              fprintf (stderr, "Encoding error: %s\n", gnutls_strerror (ret));
              return;
            }

          fputs (p, stdout);
          fputs ("\n", stdout);

          gnutls_free (p);
        }

      if (hostname != NULL)
        {
          /* Check the hostname of the first certificate if it matches
           * the name of the host we connected to.
           */
          if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0)
            hostname_ok = 1;
          else
            hostname_ok = 2;
        }

      gnutls_openpgp_crt_deinit (crt);
    }

  if (hostname_ok == 1)
    {
      printf ("- The hostname in the certificate does NOT match '%s'\n",
              hostname);
      if (!insecure)
        exit (1);
    }
  else if (hostname_ok == 2)
    {
      printf ("- The hostname in the certificate matches '%s'.\n", hostname);
    }
}
Example #11
0
void doit(void)
{
	gnutls_x509_crt_t x509;
#ifdef ENABLE_OPENPGP
	gnutls_openpgp_crt_t pgp;
#endif
	gnutls_datum_t data;
	int ret;

	ret = global_init();
	if (ret < 0)
		fail("global_init: %d\n", ret);

	ret = gnutls_x509_crt_init(&x509);
	if (ret < 0)
		fail("gnutls_x509_crt_init: %d\n", ret);

#ifdef ENABLE_OPENPGP
	ret = gnutls_openpgp_crt_init(&pgp);
	if (ret < 0)
		fail("gnutls_openpgp_crt_init: %d\n", ret);
#endif
	if (debug)
		success("Testing wildcards...\n");
	data.data = (unsigned char *) wildcards;
	data.size = strlen(wildcards);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "example.com");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "example.org");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "www.example.net");
	if (ret==0)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	if (debug)
		success("Testing pem1...\n");
	data.data = (unsigned char *) pem1;
	data.size = strlen(pem1);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "foo");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	if (debug)
		success("Testing pem2...\n");
	data.data = (unsigned char *) pem2;
	data.size = strlen(pem2);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "foo");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "*.example.org");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	if (debug)
		success("Testing pem3...\n");
	data.data = (unsigned char *) pem3;
	data.size = strlen(pem3);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "foo");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "*.example.org");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	if (debug)
		success("Testing pem4...\n");
	data.data = (unsigned char *) pem4;
	data.size = strlen(pem4);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "foo");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname2(x509, "www.example.org", GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS);
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "foo.example.com");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

#ifdef SUPPORT_COMPLEX_WILDCARDS
	if (debug)
		success("Testing pem6...\n");
	data.data = (unsigned char *) pem6;
	data.size = strlen(pem6);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "bar.foo.example.org");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	if (debug)
		success("Testing pem7...\n");
	data.data = (unsigned char *) pem7;
	data.size = strlen(pem7);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "foo.bar.example.org");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret =
	    gnutls_x509_crt_check_hostname(x509, "foobar.bar.example.org");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "foobar.example.org");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	ret =
	    gnutls_x509_crt_check_hostname(x509, "foobazbar.example.org");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);
#endif

	if (debug)
		success("Testing pem8...\n");
	data.data = (unsigned char *) pem8;
	data.size = strlen(pem8);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	/* this was passing in old gnutls versions, but that was not a
	 * good idea. See http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380
	 * for a discussion. */
	ret = gnutls_x509_crt_check_hostname(x509, "www.example.org");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "www.example.");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	/* this was passing in old gnutls versions, but that was not a
	 * good idea. See http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380
	 * for a discussion. */
	ret = gnutls_x509_crt_check_hostname(x509, "www.example.com");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "www.example.foo.com");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	if (debug)
		success("Testing pem9...\n");
	data.data = (unsigned char *) pem9;
	data.size = strlen(pem9);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "bar.example.org");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	if (debug)
		success("Testing pem10...\n");
	data.data = (unsigned char *) pem10;
	data.size = strlen(pem10);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "localhost");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	if (debug)
		success("Testing pem_too_many...\n");
	data.data = (unsigned char *) pem_too_many;
	data.size = strlen(pem_too_many);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret =
	    gnutls_x509_crt_check_hostname(x509,
					   "localhost.gnutls.gnutls.org");
	if (ret)
		fail("%d: Hostname verification should have failed (too many wildcards)\n", __LINE__);

	if (debug)
		success("Testing pem-ips...\n");
	data.data = (unsigned char *) pem_ips;
	data.size = strlen(pem_ips);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "127.0.0.2");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "example.com");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "127.0.0.1");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "192.168.5.1");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "::1");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "fe80::3e97:eff:fe18:359a");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	if (debug)
		success("Testing multi-cns...\n");
	data.data = (unsigned char *) multi_cns;
	data.size = strlen(multi_cns);

	ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM);
	if (ret < 0)
		fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "example.com");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "www.example.com");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "www.example2.com");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

	ret = gnutls_x509_crt_check_hostname(x509, "www.example3.com");
	if (ret)
		fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret);

#ifdef ENABLE_OPENPGP
	if (debug)
		success("Testing pem11...\n");
	data.data = (unsigned char *) pem11;
	data.size = strlen(pem11);

	ret =
	    gnutls_openpgp_crt_import(pgp, &data,
				      GNUTLS_OPENPGP_FMT_BASE64);
	if (ret < 0)
		fail("%d: gnutls_openpgp_crt_import: %d\n", __LINE__, ret);

	ret = gnutls_openpgp_crt_check_hostname(pgp, "test.gnutls.org");
	if (!ret)
		fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret);

	gnutls_openpgp_crt_deinit(pgp);
#endif
	gnutls_x509_crt_deinit(x509);

	gnutls_global_deinit();
}
static int pgp_crt_to_raw_pubkey(const gnutls_datum_t * cert, gnutls_datum_t *rpubkey)
{
#ifdef ENABLE_OPENPGP
gnutls_openpgp_crt_t crt = NULL;
gnutls_pubkey_t pubkey = NULL;
size_t size;
int ret;

  ret = gnutls_openpgp_crt_init(&crt);
  if (ret < 0)
    return gnutls_assert_val(ret);

  ret = gnutls_pubkey_init(&pubkey);
  if (ret < 0)
    {
      gnutls_assert();
      goto cleanup;
    }
  
  ret = gnutls_openpgp_crt_import(crt, cert, GNUTLS_OPENPGP_FMT_RAW);
  if (ret < 0)
    {
      gnutls_assert();
      goto cleanup;
    }

  ret = gnutls_pubkey_import_openpgp (pubkey, crt, 0);
  if (ret < 0)
    {
      gnutls_assert();
      goto cleanup;
    }
  
  size = 0;
  ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, NULL, &size);
  if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
    {
      gnutls_assert();
      goto cleanup;
    }

  rpubkey->data = gnutls_malloc(size);
  if (rpubkey->data == NULL)
  if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
    {
      ret = GNUTLS_E_MEMORY_ERROR;
      gnutls_assert();
      goto cleanup;
    }
  
  ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, rpubkey->data, &size);
  if (ret < 0)
    {
      gnutls_free(rpubkey->data);
      gnutls_assert();
      goto cleanup;
    }

  rpubkey->size = size;
  ret = 0;

cleanup:
  gnutls_openpgp_crt_deinit(crt);
  gnutls_pubkey_deinit(pubkey);

  return ret;
#else
  return GNUTLS_E_UNIMPLEMENTED_FEATURE;
#endif
}
Example #13
0
void
doit (void)
{
  gnutls_x509_crt_t x509;
#ifdef ENABLE_OPENPGP
  gnutls_openpgp_crt_t pgp;
#endif
  gnutls_datum_t data;
  int ret;

  ret = gnutls_global_init ();
  if (ret < 0)
    fail ("gnutls_global_init: %d\n", ret);

  ret = gnutls_x509_crt_init (&x509);
  if (ret < 0)
    fail ("gnutls_x509_crt_init: %d\n", ret);

#ifdef ENABLE_OPENPGP
  ret = gnutls_openpgp_crt_init (&pgp);
  if (ret < 0)
    fail ("gnutls_openpgp_crt_init: %d\n", ret);
#endif

  if (debug)
    success ("Testing pem1...\n");
  data.data = pem1;
  data.size = strlen (pem1);

  ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foo");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  if (debug)
    success ("Testing pem2...\n");
  data.data = pem2;
  data.size = strlen (pem2);

  ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foo");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "*.example.org");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  if (debug)
    success ("Testing pem3...\n");
  data.data = pem3;
  data.size = strlen (pem3);

  ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foo");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "*.example.org");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  if (debug)
    success ("Testing pem4...\n");
  data.data = pem4;
  data.size = strlen (pem4);

  ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foo");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foo.example.com");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  if (debug)
    success ("Testing pem5...\n");
  data.data = pem5;
  data.size = strlen (pem5);

  ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foo");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "1.2.3.4");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  if (debug)
    success ("Testing pem6...\n");
  data.data = pem6;
  data.size = strlen (pem6);

  ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "bar.foo.example.org");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  if (debug)
    success ("Testing pem7...\n");
  data.data = pem7;
  data.size = strlen (pem7);

  ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foo.bar.example.org");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foobar.bar.example.org");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foobar.example.org");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foobazbar.example.org");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  if (debug)
    success ("Testing pem8...\n");
  data.data = pem8;
  data.size = strlen (pem8);

  ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "www.example.org");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "www.example.");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "www.example.com");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "www.example.foo.com");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  if (debug)
    success ("Testing pem9...\n");
  data.data = pem9;
  data.size = strlen (pem9);

  ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "bar.example.org");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  if (debug)
    success ("Testing pem10...\n");
  data.data = pem10;
  data.size = strlen (pem10);

  ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("gnutls_x509_crt_import: %d\n", ret);

  ret = gnutls_x509_crt_check_hostname (x509, "localhost");
  if (ret)
    fail ("Hostname incorrectly matches (%d)\n", ret);

#ifdef ENABLE_OPENPGP
  if (debug)
    success ("Testing pem11...\n");
  data.data = pem11;
  data.size = strlen (pem11);

  ret = gnutls_openpgp_crt_import (pgp, &data, GNUTLS_OPENPGP_FMT_BASE64);
  if (ret < 0)
    fail ("gnutls_openpgp_crt_import: %d\n", ret);

  ret = gnutls_openpgp_crt_check_hostname (pgp, "test.gnutls.org");
  if (!ret)
    fail ("Hostname incorrectly does not match (%d)\n", ret);

  gnutls_openpgp_crt_deinit (pgp);
#endif
  gnutls_x509_crt_deinit (x509);

  gnutls_global_deinit ();
}
Example #14
0
/**
 * gnutls_certificate_set_openpgp_key_mem2 - Used to set OpenPGP keys
 * @res: the destination context to save the data.
 * @cert: the datum that contains the public key.
 * @key: the datum that contains the secret key.
 * @subkey_id: a hex encoded subkey id
 * @format: the format of the keys
 *
 * This funtion is used to load OpenPGP keys into the GnuTLS
 * credentials structure.  The files should only contain one key which
 * is not encrypted.
 *
 * The special keyword "auto" is also accepted as @subkey_id.  In that
 * case the gnutls_openpgp_crt_get_auth_subkey() will be used to
 * retrieve the subkey.
 *
 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
 *   negative error value.
 *
 * Since: 2.4.0
 **/
int
gnutls_certificate_set_openpgp_key_mem2 (gnutls_certificate_credentials_t res,
					 const gnutls_datum_t * cert,
					 const gnutls_datum_t * key,
					 const char *subkey_id,
					 gnutls_openpgp_crt_fmt_t format)
{
  gnutls_openpgp_privkey_t pkey;
  gnutls_openpgp_crt_t crt;
  int ret;

  ret = gnutls_openpgp_privkey_init (&pkey);
  if (ret < 0)
    {
      gnutls_assert ();
      return ret;
    }

  ret = gnutls_openpgp_privkey_import (pkey, key, format, NULL, 0);
  if (ret < 0)
    {
      gnutls_assert ();
      gnutls_openpgp_privkey_deinit (pkey);
      return ret;
    }

  ret = gnutls_openpgp_crt_init (&crt);
  if (ret < 0)
    {
      gnutls_assert ();
      gnutls_openpgp_privkey_deinit (pkey);
      return ret;
    }

  ret = gnutls_openpgp_crt_import (crt, cert, format);
  if (ret < 0)
    {
      gnutls_assert ();
      gnutls_openpgp_privkey_deinit (pkey);
      gnutls_openpgp_crt_deinit (crt);
      return ret;
    }

  if (subkey_id != NULL)
    {
      gnutls_openpgp_keyid_t keyid;

      if (strcasecmp (subkey_id, "auto") == 0)
	ret = gnutls_openpgp_crt_get_auth_subkey (crt, keyid, 1);
      else
	ret = get_keyid (keyid, subkey_id);

      if (ret >= 0)
	{
	  ret = gnutls_openpgp_crt_set_preferred_key_id (crt, keyid);
	  if (ret >= 0)
	    ret = gnutls_openpgp_privkey_set_preferred_key_id (pkey, keyid);
	}

      if (ret < 0)
	{
	  gnutls_assert ();
	  gnutls_openpgp_privkey_deinit (pkey);
	  gnutls_openpgp_crt_deinit (crt);
	  return ret;
	}
    }

  ret = gnutls_certificate_set_openpgp_key (res, crt, pkey);

  gnutls_openpgp_privkey_deinit (pkey);
  gnutls_openpgp_crt_deinit (crt);

  return ret;
}