static gint get_number_and_type_of_certificates(gnutls_datum_t *datum, gnutls_x509_crt_fmt_t *format) { gnutls_x509_crt_t fake = 0; guint retval = 1; gint res = 0; g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__); res = gnutls_x509_crt_list_import(&fake, &retval, datum, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if(GNUTLS_E_SHORT_MEMORY_BUFFER==res || 0<res) { *format = GNUTLS_X509_FMT_PEM; return retval; } /* Try DER */ res = gnutls_x509_crt_list_import(&fake, &retval, datum, GNUTLS_X509_FMT_DER, 0); if(0 < res) { *format = GNUTLS_X509_FMT_DER; return retval; } return res; }
void SslContext::setCertFile(const std::string& filename) { if (error_) return; if (!enabled) return; TRACE("SslContext::setCertFile: \"%s\"", filename.c_str()); gnutls_datum_t data; error_ = loadFile(data, filename); if (error_) { log(x0::Severity::error, "Error loading certificate file(%s): %s", filename.c_str(), error_.message().c_str()); return; } numX509Certs_ = sizeof(x509Certs_) / sizeof(*x509Certs_); // 8 int rv; rv = gnutls_x509_crt_list_import(x509Certs_, &numX509Certs_, &data, GNUTLS_X509_FMT_PEM, 0); if (rv < 0) TRACE("gnutls_x509_crt_list_import: \"%s\"", gnutls_strerror(rv)); for (unsigned i = 0; i < numX509Certs_; ++i) { // read Common Name (CN): TRACE("retrieving Common Name"); std::size_t len = 0; rv = gnutls_x509_crt_get_dn_by_oid(x509Certs_[i], GNUTLS_OID_X520_COMMON_NAME, 0, 0, nullptr, &len); if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) { char *buf = new char[len + 1]; rv = gnutls_x509_crt_get_dn_by_oid(x509Certs_[i], GNUTLS_OID_X520_COMMON_NAME, 0, 0, buf, &len); if (rv < 0) TRACE("gnutls_x509_crt_get_dn_by_oid: \"%s\"", gnutls_strerror(rv)); certCN_ = buf; delete[] buf; TRACE("setCertFile: Common Name: \"%s\"", certCN_.c_str()); } // read Subject Alternative-Name: TRACE("retrieving Alternative-Name"); for (int k = 0; !(rv < 0); ++k) { len = 0; rv = gnutls_x509_crt_get_subject_alt_name(x509Certs_[i], k, nullptr, &len, nullptr); if (rv == GNUTLS_E_SHORT_MEMORY_BUFFER && len > 1) { char *buf = new char[len + 1]; rv = gnutls_x509_crt_get_subject_alt_name(x509Certs_[i], k, buf, &len, nullptr); if (rv < 0) TRACE("gnutls_x509_crt_get_subject_alt_name: \"%s\"", gnutls_strerror(rv)); buf[len] = '\0'; if (rv == GNUTLS_SAN_DNSNAME) dnsNames_.push_back(buf); TRACE("setCertFile: Subject: \"%s\"", buf); delete[] buf; } } } freeFile(data); TRACE("setCertFile: success."); }
int ca_cmd(struct tab *t, struct karg *args) { FILE *f = NULL; int rv = 1, certs = 0, certs_read; struct stat sb; gnutls_datum_t dt; gnutls_x509_crt_t *c = NULL; char *certs_buf = NULL, *s; if ((f = fopen(ssl_ca_file, "r")) == NULL) { show_oops(t, "Can't open CA file: %s", ssl_ca_file); return (1); } if (fstat(fileno(f), &sb) == -1) { show_oops(t, "Can't stat CA file: %s", ssl_ca_file); goto done; } certs_buf = g_malloc(sb.st_size + 1); if (fread(certs_buf, 1, sb.st_size, f) != sb.st_size) { show_oops(t, "Can't read CA file: %s", strerror(errno)); goto done; } certs_buf[sb.st_size] = '\0'; s = certs_buf; while ((s = strstr(s, "BEGIN CERTIFICATE"))) { certs++; s += strlen("BEGIN CERTIFICATE"); } bzero(&dt, sizeof dt); dt.data = (unsigned char *)certs_buf; dt.size = sb.st_size; c = g_malloc(sizeof(gnutls_x509_crt_t) * certs); certs_read = gnutls_x509_crt_list_import(c, (unsigned int *)&certs, &dt, GNUTLS_X509_FMT_PEM, 0); if (certs_read <= 0) { show_oops(t, "No cert(s) available"); goto done; } show_certs(t, c, certs_read, "Certificate Authority Certificates"); done: if (c) g_free(c); if (certs_buf) g_free(certs_buf); if (f) fclose(f); return (rv); }
/** Import */ X509CertList(const std::string& certstr) { unsigned int certcount = 3; certs.resize(certcount); Datum datum(certstr); int ret = gnutls_x509_crt_list_import(raw(), &certcount, datum.get(), GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { // the buffer wasn't big enough to hold all certs but gnutls changed certcount to the number of available certs, // try again with a bigger buffer certs.resize(certcount); ret = gnutls_x509_crt_list_import(raw(), &certcount, datum.get(), GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); } ThrowOnError(ret, "Unable to load certificates"); // Resize the vector to the actual number of certs because we rely on its size being correct // when deallocating the certs certs.resize(certcount); }
void doit (void) { gnutls_certificate_credentials_t x509_cred; int ret; unsigned int i; gnutls_x509_crt_t issuer; gnutls_x509_crt_t list[LIST_SIZE]; char dn[128]; size_t dn_size; unsigned int list_size; /* this must be called once in the program */ gnutls_global_init (); gnutls_global_set_log_function (tls_log_func); if (debug) gnutls_global_set_log_level (6); gnutls_certificate_allocate_credentials (&x509_cred); gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, GNUTLS_X509_FMT_PEM); /* test for gnutls_certificate_get_issuer() */ list_size = LIST_SIZE; ret = gnutls_x509_crt_list_import(list, &list_size, &cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) fail("gnutls_x509_crt_list_import"); ret = gnutls_certificate_get_issuer(x509_cred, list[0], &issuer, 0); if (ret < 0) fail("gnutls_certificate_get_isser"); dn_size = sizeof(dn); ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size); if (ret < 0) fail("gnutls_certificate_get_isser"); if (debug) fprintf(stderr, "Issuer's DN: %s\n", dn); for (i=0;i<list_size;i++) gnutls_x509_crt_deinit(list[i]); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); if (debug) success("success"); }
static gnutls_x509_crt_t *load_ca_list_file(const char *path, size_t *out_list_size, crypto_error **error) { gnutls_x509_crt_t *list; gnutls_datum dt = { NULL, 0 }; size_t fsize = 0; int err; unsigned int num = 200; dt.data = crypto_read_file(path, &fsize, error); if (!dt.data) return NULL; dt.size = (unsigned int) fsize; list = gnutls_malloc(sizeof(gnutls_x509_crt_t) * num); if (!list) { crypto_error_set(error, 1, ENOMEM, "not enough memory for CA list"); goto out; } err = gnutls_x509_crt_list_import(list, &num, &dt, GNUTLS_X509_FMT_PEM, 0); if (err <= 0) { /* DER then maybe */ gnutls_free(list); list = load_one_ca_file(path, error); if (!list) goto out; num = 1; } else num = err; /* gnutls_x509_crt_list_import() returns # read */ if (err < 0) { crypto_error_set(error, 1, 0, "importing CA list (%d)", err); gnutls_free(list); list = NULL; } else *out_list_size = num; out: gnutls_free(dt.data); return list; }
static int qcrypto_tls_creds_load_ca_cert_list(QCryptoTLSCredsX509 *creds, const char *certFile, gnutls_x509_crt_t *certs, unsigned int certMax, size_t *ncerts, Error **errp) { gnutls_datum_t data; char *buf = NULL; gsize buflen; int ret = -1; GError *gerr = NULL; *ncerts = 0; trace_qcrypto_tls_creds_x509_load_cert_list(creds, certFile); if (!g_file_get_contents(certFile, &buf, &buflen, &gerr)) { error_setg(errp, "Cannot load CA cert list %s: %s", certFile, gerr->message); g_error_free(gerr); goto cleanup; } data.data = (unsigned char *)buf; data.size = strlen(buf); if (gnutls_x509_crt_list_import(certs, &certMax, &data, GNUTLS_X509_FMT_PEM, 0) < 0) { error_setg(errp, "Unable to import CA certificate list %s", certFile); goto cleanup; } *ncerts = certMax; ret = 0; cleanup: g_free(buf); return ret; }
static gboolean build_gnutls_ca_and_crl_lists(GIOSchedulerJob *job, GCancellable *cancellable, gpointer user_data) { HevImpathyTLSVerifier *self = HEV_IMPATHY_TLS_VERIFIER(user_data); HevImpathyTLSVerifierPrivate *priv = HEV_IMPATHY_TLS_VERIFIER_GET_PRIVATE(self); gint idx = 0; gchar *user_certs_dir = NULL; GDir *dir = NULL; GError *error = NULL; g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__); priv->trusted_ca_list = g_ptr_array_new_with_free_func( (GDestroyNotify)gnutls_x509_crt_deinit); for(idx=0; idx<(gint)G_N_ELEMENTS(system_ca_paths)-1; idx++) { const gchar *path = NULL; gchar *contents = NULL; gsize length = 0; gint res = 0, n_certs = 0; gnutls_x509_crt_t *cert_list = NULL; gnutls_datum_t datum = { NULL, 0 }; gnutls_x509_crt_fmt_t format = 0; path = system_ca_paths[idx]; g_file_get_contents(path, &contents, &length, &error); if(NULL != error) { g_clear_error(&error); continue; } datum.data = (guchar *)contents; datum.size = length; n_certs = get_number_and_type_of_certificates(&datum, &format); if(0 > n_certs) { g_free(contents); continue; } cert_list = g_malloc0(sizeof(gnutls_x509_crt_t) * n_certs); res = gnutls_x509_crt_list_import(cert_list, (guint *)&n_certs, &datum, format, 0); if(0 > res) { g_free(contents); continue; } for(idx=0; idx<n_certs; idx++) g_ptr_array_add(priv->trusted_ca_list, cert_list[idx]); g_free(contents); g_free(cert_list); } /* user certs */ user_certs_dir = g_build_filename(g_get_user_config_dir(), "telepathy", "certs", NULL); dir = g_dir_open(user_certs_dir, 0, &error); if(NULL == error) { const gchar *cert_name = NULL; while(NULL != (cert_name=g_dir_read_name(dir))) { gchar *contents = NULL, *cert_path = NULL; gsize length = 0; gint res = 0; gnutls_datum_t datum = { NULL, 0 }; gnutls_x509_crt_t cert = 0; cert_path = g_build_filename(user_certs_dir, cert_name, NULL); g_file_get_contents(cert_path, &contents, &length, &error); if(NULL != error) { g_clear_error(&error); g_free(cert_path); continue; } datum.data = (guchar *)contents; datum.size = length; gnutls_x509_crt_init(&cert); res = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_PEM); if(GNUTLS_E_SUCCESS == res) g_ptr_array_add(priv->trusted_ca_list, cert); g_free(contents); g_free(cert_path); } g_dir_close(dir); } else { g_error_free(error); } g_free(user_certs_dir); g_io_scheduler_job_send_to_mainloop_async(job, start_verification, self, NULL); return FALSE; }
/* Load the certificate and the private key. */ static void load_keys (void) { unsigned int crt_num; int ret; gnutls_datum_t data; if (x509_certfile != NULL && x509_keyfile != NULL) { data = load_file (x509_certfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } crt_num = MAX_CRT; ret = gnutls_x509_crt_list_import (x509_crt, &crt_num, &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (ret < 0) { if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { fprintf (stderr, "*** Error loading cert file: Too many certs %d\n", crt_num); } else { fprintf (stderr, "*** Error loading cert file: %s\n", gnutls_strerror (ret)); } exit (1); } x509_crt_size = ret; fprintf (stderr, "Processed %d client certificates...\n", ret); unload_file (data); data = load_file (x509_keyfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading key file.\n"); exit (1); } gnutls_x509_privkey_init (&x509_key); ret = gnutls_x509_privkey_import (x509_key, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf (stderr, "*** Error loading key file: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (data); fprintf (stderr, "Processed %d client X.509 certificates...\n", x509_crt_size); } #ifdef ENABLE_OPENPGP if (pgp_certfile != NULL && pgp_keyfile != NULL) { data = load_file (pgp_certfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading PGP cert file.\n"); exit (1); } gnutls_openpgp_crt_init (&pgp_crt); ret = gnutls_openpgp_crt_import (pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64); if (ret < 0) { fprintf (stderr, "*** Error loading PGP cert file: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (data); data = load_file (pgp_keyfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading PGP key file.\n"); exit (1); } gnutls_openpgp_privkey_init (&pgp_key); ret = gnutls_openpgp_privkey_import (pgp_key, &data, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading PGP key file: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (data); if (info.pgp_subkey != NULL) { gnutls_openpgp_keyid_t keyid; if (strcasecmp (info.pgp_subkey, "auto") == 0) { ret = gnutls_openpgp_crt_get_auth_subkey (pgp_crt, keyid, 1); if (ret < 0) { fprintf (stderr, "*** Error setting preferred sub key id (%s): %s\n", info.pgp_subkey, gnutls_strerror (ret)); exit (1); } } else get_keyid (keyid, info.pgp_subkey); ret = gnutls_openpgp_crt_set_preferred_key_id (pgp_crt, keyid); if (ret >= 0) ret = gnutls_openpgp_privkey_set_preferred_key_id (pgp_key, keyid); if (ret < 0) { fprintf (stderr, "*** Error setting preferred sub key id (%s): %s\n", info.pgp_subkey, gnutls_strerror (ret)); exit (1); } } fprintf (stderr, "Processed 1 client PGP certificate...\n"); } #endif }
void doit(void) { gnutls_certificate_credentials_t x509_cred; int ret; unsigned int i; gnutls_x509_crt_t issuer; gnutls_x509_crt_t list[LIST_SIZE]; char dn[128]; size_t dn_size; unsigned int list_size; size_t buf_size; gnutls_x509_privkey_t get_key; gnutls_x509_crt_t *get_crts; unsigned n_get_crts; gnutls_datum_t get_datum, chain_datum[2] = {server_ca3_cert, subca3_cert}; gnutls_x509_trust_list_t trust_list; gnutls_x509_trust_list_iter_t trust_iter; gnutls_x509_crt_t get_ca_crt; unsigned n_get_ca_crts; /* this must be called once in the program */ global_init(); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(6); gnutls_certificate_allocate_credentials(&x509_cred); gnutls_certificate_set_x509_trust_mem(x509_cred, &ca3_cert, GNUTLS_X509_FMT_PEM); gnutls_certificate_set_x509_key_mem(x509_cred, &server_ca3_cert_chain, &server_ca3_key, GNUTLS_X509_FMT_PEM); /* test for gnutls_certificate_get_issuer() */ /* check whether gnutls_x509_crt_list_import will fail if given a single * certificate */ list_size = LIST_SIZE; ret = gnutls_x509_crt_list_import(list, &list_size, &ca3_cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) fail("gnutls_x509_crt_list_import (failed with a single cert)"); gnutls_x509_crt_deinit(list[0]); list_size = LIST_SIZE; ret = gnutls_x509_crt_list_import(list, &list_size, &cli_ca3_cert_chain, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED); if (ret < 0) fail("gnutls_x509_crt_list_import"); ret = gnutls_certificate_get_issuer(x509_cred, list[list_size-1], &issuer, 0); if (ret < 0) fail("gnutls_certificate_get_isser"); ret = gnutls_certificate_get_issuer(x509_cred, list[list_size-1], &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) fail("gnutls_certificate_get_isser"); dn_size = sizeof(dn); ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size); if (ret < 0) fail("gnutls_certificate_get_dn"); gnutls_x509_crt_deinit(issuer); if (dn_size != strlen(dn)) { fail("gnutls_x509_crt_get_dn: lengths don't match\n"); exit(1); } if (debug) fprintf(stderr, "Issuer's DN: %s\n", dn); /* test the getter functions of gnutls_certificate_credentials_t */ ret = gnutls_certificate_get_x509_key(x509_cred, 0, &get_key); if (ret < 0) fail("gnutls_certificate_get_x509_key"); ret = gnutls_x509_privkey_export2(get_key, GNUTLS_X509_FMT_PEM, &get_datum); if (ret < 0) fail("gnutls_x509_privkey_export2"); if (get_datum.size != server_ca3_key.size || memcmp(get_datum.data, server_ca3_key.data, get_datum.size) != 0) { fail( "exported key %u vs. %u\n\n%s\n\nvs.\n\n%s", get_datum.size, server_ca3_key.size, get_datum.data, server_ca3_key.data); } if (strlen((char*)get_datum.data) != get_datum.size) { fail("exported key %u vs. %u\n\n%s\n", get_datum.size, (unsigned)strlen((char*)get_datum.data), get_datum.data); } gnutls_free(get_datum.data); buf_size = sizeof(buf); ret = gnutls_x509_privkey_export(get_key, GNUTLS_X509_FMT_PEM, buf, &buf_size); if (ret < 0) fail("gnutls_x509_privkey_export"); if (buf_size != get_datum.size || buf_size != strlen(buf) || memcmp(buf, server_ca3_key.data, buf_size) != 0) { fail( "exported key %u vs. %u\n\n%s\n\nvs.\n\n%s", (int)buf_size, server_ca3_key.size, buf, server_ca3_key.data); } ret = gnutls_certificate_get_x509_crt(x509_cred, 0, &get_crts, &n_get_crts); if (ret < 0) fail("gnutls_certificate_get_x509_crt"); if (n_get_crts != 2) fail("gnutls_certificate_get_x509_crt: n_crts != 2"); for (i = 0; i < n_get_crts; i++) { ret = gnutls_x509_crt_export2(get_crts[i], GNUTLS_X509_FMT_PEM, &get_datum); if (ret < 0) fail("gnutls_x509_crt_export2"); if (get_datum.size != chain_datum[i].size || memcmp(get_datum.data, chain_datum[i].data, get_datum.size) != 0) { fail( "exported certificate %u vs. %u\n\n%s\n\nvs.\n\n%s", get_datum.size, chain_datum[i].size, get_datum.data, chain_datum[i].data); } gnutls_free(get_datum.data); } gnutls_certificate_get_trust_list(x509_cred, &trust_list); n_get_ca_crts = 0; trust_iter = NULL; while (gnutls_x509_trust_list_iter_get_ca(trust_list, &trust_iter, &get_ca_crt) != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { ret = gnutls_x509_crt_export2(get_ca_crt, GNUTLS_X509_FMT_PEM, &get_datum); if (ret < 0) fail("gnutls_x509_crt_export2"); if (get_datum.size != ca3_cert.size || memcmp(get_datum.data, ca3_cert.data, get_datum.size) != 0) { fail( "exported CA certificate %u vs. %u\n\n%s\n\nvs.\n\n%s", get_datum.size, ca3_cert.size, get_datum.data, ca3_cert.data); } gnutls_x509_crt_deinit(get_ca_crt); gnutls_free(get_datum.data); ++n_get_ca_crts; } if (n_get_ca_crts != 1) fail("gnutls_x509_trust_list_iter_get_ca: n_cas != 1"); if (trust_iter != NULL) fail("gnutls_x509_trust_list_iter_get_ca: iterator not NULL after iteration"); gnutls_x509_privkey_deinit(get_key); for (i = 0; i < n_get_crts; i++) gnutls_x509_crt_deinit(get_crts[i]); gnutls_free(get_crts); for (i = 0; i < list_size; i++) gnutls_x509_crt_deinit(list[i]); gnutls_certificate_free_credentials(x509_cred); gnutls_global_deinit(); if (debug) success("success"); }
/* * initialize a new TLS context */ static int tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) { tlsg_ctx *ctx = lo->ldo_tls_ctx; int rc; if ( lo->ldo_tls_ciphersuite && tlsg_parse_ciphers( ctx, lt->lt_ciphersuite )) { Debug( LDAP_DEBUG_ANY, "TLS: could not set cipher list %s.\n", lo->ldo_tls_ciphersuite, 0, 0 ); return -1; } if (lo->ldo_tls_cacertdir != NULL) { Debug( LDAP_DEBUG_ANY, "TLS: warning: cacertdir not implemented for gnutls\n", NULL, NULL, NULL ); } if (lo->ldo_tls_cacertfile != NULL) { rc = gnutls_certificate_set_x509_trust_file( ctx->cred, lt->lt_cacertfile, GNUTLS_X509_FMT_PEM ); if ( rc < 0 ) return -1; } if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) { gnutls_x509_privkey_t key; gnutls_datum_t buf; gnutls_x509_crt_t certs[VERIFY_DEPTH]; unsigned int max = VERIFY_DEPTH; rc = gnutls_x509_privkey_init( &key ); if ( rc ) return -1; /* OpenSSL builds the cert chain for us, but GnuTLS * expects it to be present in the certfile. If it's * not, we have to build it ourselves. So we have to * do some special checks here... */ rc = tlsg_getfile( lt->lt_keyfile, &buf ); if ( rc ) return -1; rc = gnutls_x509_privkey_import( key, &buf, GNUTLS_X509_FMT_PEM ); LDAP_FREE( buf.data ); if ( rc < 0 ) return rc; rc = tlsg_getfile( lt->lt_certfile, &buf ); if ( rc ) return -1; rc = gnutls_x509_crt_list_import( certs, &max, &buf, GNUTLS_X509_FMT_PEM, 0 ); LDAP_FREE( buf.data ); if ( rc < 0 ) return rc; /* If there's only one cert and it's not self-signed, * then we have to build the cert chain. */ if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) { gnutls_x509_crt_t *cas; unsigned int i, j, ncas; gnutls_certificate_get_x509_cas( ctx->cred, &cas, &ncas ); for ( i = 1; i<VERIFY_DEPTH; i++ ) { for ( j = 0; j<ncas; j++ ) { if ( gnutls_x509_crt_check_issuer( certs[i-1], cas[j] )) { certs[i] = cas[j]; max++; /* If this CA is self-signed, we're done */ if ( gnutls_x509_crt_check_issuer( cas[j], cas[j] )) j = ncas; break; } } /* only continue if we found a CA and it was not self-signed */ if ( j == ncas ) break; } } rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key ); if ( rc ) return -1; } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) { Debug( LDAP_DEBUG_ANY, "TLS: only one of certfile and keyfile specified\n", NULL, NULL, NULL ); return -1; } if ( lo->ldo_tls_dhfile ) { Debug( LDAP_DEBUG_ANY, "TLS: warning: ignoring dhfile\n", NULL, NULL, NULL ); } if ( lo->ldo_tls_crlfile ) { rc = gnutls_certificate_set_x509_crl_file( ctx->cred, lt->lt_crlfile, GNUTLS_X509_FMT_PEM ); if ( rc < 0 ) return -1; rc = 0; } /* FIXME: ITS#5992 - this should go be configurable, * and V1 CA certs should be phased out ASAP. */ gnutls_certificate_set_verify_flags( ctx->cred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT ); if ( is_server ) { gnutls_dh_params_init(&ctx->dh_params); gnutls_dh_params_generate2(ctx->dh_params, DH_BITS); } return 0; }
/* Load the certificate and the private key. */ static void load_keys (void) { unsigned int crt_num; int ret, i; gnutls_datum_t data = { NULL, 0 }; gnutls_x509_crt_t crt_list[MAX_CRT]; #ifdef ENABLE_PKCS11 gnutls_pkcs11_privkey_t pkcs11_key; #endif gnutls_x509_privkey_t tmp_key; unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE]; if (x509_certfile != NULL && x509_keyfile != NULL) { #ifdef ENABLE_PKCS11 if (strncmp (x509_certfile, "pkcs11:", 7) == 0) { crt_num = 1; gnutls_x509_crt_init (&crt_list[0]); ret = gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, 0); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ret = gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } x509_crt_size = 1; } else #endif /* ENABLE_PKCS11 */ { data = load_file (x509_certfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } crt_num = MAX_CRT; ret = gnutls_x509_crt_list_import (crt_list, &crt_num, &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (ret < 0) { if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { fprintf (stderr, "*** Error loading cert file: Too many certs %d\n", crt_num); } else { fprintf (stderr, "*** Error loading cert file: %s\n", gnutls_strerror (ret)); } exit (1); } x509_crt_size = ret; } for (i=0;i<x509_crt_size;i++) { ret = gnutls_pcert_import_x509(&x509_crt[i], crt_list[i], 0); if (ret < 0) { fprintf(stderr, "*** Error importing crt to pcert: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_deinit(crt_list[i]); } unload_file (&data); ret = gnutls_privkey_init(&x509_key); if (ret < 0) { fprintf (stderr, "*** Error initializing key: %s\n", gnutls_strerror (ret)); exit (1); } #ifdef ENABLE_PKCS11 if (strncmp (x509_keyfile, "pkcs11:", 7) == 0) { gnutls_pkcs11_privkey_init (&pkcs11_key); ret = gnutls_pkcs11_privkey_import_url (pkcs11_key, x509_keyfile, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } ret = gnutls_privkey_import_pkcs11( x509_key, pkcs11_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } } else #endif /* ENABLE_PKCS11 */ { data = load_file (x509_keyfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading key file.\n"); exit (1); } gnutls_x509_privkey_init (&tmp_key); ret = gnutls_x509_privkey_import (tmp_key, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf (stderr, "*** Error loading key file: %s\n", gnutls_strerror (ret)); exit (1); } ret = gnutls_privkey_import_x509( x509_key, tmp_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (&data); } fprintf (stdout, "Processed %d client X.509 certificates...\n", x509_crt_size); } #ifdef ENABLE_OPENPGP if (info.pgp_subkey != NULL) { get_keyid (keyid, info.pgp_subkey); } if (pgp_certfile != NULL && pgp_keyfile != NULL) { gnutls_openpgp_crt_t tmp_pgp_crt; data = load_file (pgp_certfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading PGP cert file.\n"); exit (1); } gnutls_openpgp_crt_init (&tmp_pgp_crt); ret = gnutls_pcert_import_openpgp_raw (&pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64, info.pgp_subkey!=NULL?keyid:NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading PGP cert file: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (&data); ret = gnutls_privkey_init(&pgp_key); if (ret < 0) { fprintf (stderr, "*** Error initializing key: %s\n", gnutls_strerror (ret)); exit (1); } #ifdef ENABLE_PKCS11 if (strncmp (pgp_keyfile, "pkcs11:", 7) == 0) { gnutls_pkcs11_privkey_init (&pkcs11_key); ret = gnutls_pkcs11_privkey_import_url (pkcs11_key, pgp_keyfile, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } ret = gnutls_privkey_import_pkcs11( pgp_key, pkcs11_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } } else #endif /* ENABLE_PKCS11 */ { gnutls_openpgp_privkey_t tmp_pgp_key; data = load_file (pgp_keyfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading PGP key file.\n"); exit (1); } gnutls_openpgp_privkey_init (&tmp_pgp_key); ret = gnutls_openpgp_privkey_import (tmp_pgp_key, &data, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading PGP key file: %s\n", gnutls_strerror (ret)); exit (1); } if (info.pgp_subkey != NULL) { ret = gnutls_openpgp_privkey_set_preferred_key_id (tmp_pgp_key, keyid); if (ret < 0) { fprintf (stderr, "*** Error setting preferred sub key id (%s): %s\n", info.pgp_subkey, gnutls_strerror (ret)); exit (1); } } ret = gnutls_privkey_import_openpgp( pgp_key, tmp_pgp_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (&data); } fprintf (stdout, "Processed 1 client PGP certificate...\n"); } #endif }
int _requiem_tls_crt_list_import(gnutls_x509_crt *certs, unsigned int *cmax, const gnutls_datum *indata, gnutls_x509_crt_fmt format) { return gnutls_x509_crt_list_import(certs, cmax, indata, format, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); }
int main (int argc, char **argv) { /* Local Vars */ int ret; int i; unsigned int len; gnutls_x509_crt_t cert[1]; char *subject = NULL; size_t subject_len; time_t expiration_time, activation_time; /* Set signal handling and alarm */ if (signal (SIGALRM, timeout_alarm_handler) == SIG_ERR) critical("Setup SIGALRM trap failed!"); /* Process check arguments */ if (process_arguments(argc, argv) != OK) unknown("Parsing arguments failed!"); /* Start plugin timeout */ alarm(mp_timeout); /* Init GnuTLS */ gnutls_global_init(); for(i = 0; i < cert_files; i++) { if (mp_verbose) printf("Cert: %s\n", cert_file[i]); /* Read the Cert */ gnutls_datum_t data = { NULL, 0 }; ret = mp_slurp(cert_file[i], &(data.data)); data.size = ret; if (ret <= 0) { set_critical("Error loading cert file '%s'.", cert_file[i]); continue; } /* Load the Cert to a list. */ len = 1; ret = gnutls_x509_crt_list_import(cert, &len, &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (ret < 0) { set_critical("%s error: %s", cert_file[i], gnutls_strerror(ret)); continue; }; /* Read der Cert CN */ if (subject == NULL) { subject = mp_malloc(128); subject_len = 128; } ret = gnutls_x509_crt_get_dn_by_oid(cert[0], GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject, &subject_len); if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { subject_len+=1; subject = mp_realloc(subject, subject_len); ret = gnutls_x509_crt_get_dn_by_oid(cert[0], GNUTLS_OID_X520_COMMON_NAME, 0, 0, subject, &subject_len); } if (ret != 0) { set_critical("%s error: %s", cert_file[i], gnutls_strerror(ret)); continue; } if (mp_verbose) { printf(" * Subject: %s\n", subject); } /* Check expire time */ expiration_time = gnutls_x509_crt_get_expiration_time (cert[0]); activation_time = gnutls_x509_crt_get_activation_time (cert[0]); if (mp_verbose) { printf (" * Certificate is valid since: %s", ctime (&activation_time)); printf (" * Certificate expires: %s", ctime (&expiration_time)); } int days = (int)difftime(expiration_time, time(0))/86400; switch (get_status((expiration_time-time(0)), expire_thresholds)) { case STATE_OK: set_ok(cert_file[i]); break; case STATE_WARNING: set_warning("%s expires in %d day%s", cert_file[i], days, days==1?"":"s"); break; case STATE_CRITICAL: set_critical("%s expires in %d day%s", cert_file[i], days, days==1?"":"s"); break; } if (activation_time > time(0)) { int days = (int)difftime(activation_time, time(0))/86400; set_critical("%s activates in %d day%s", cert_file[i], days, days==1?"":"s"); } } // Dissconnect gnutls_global_deinit (); mp_exit("X509"); }
int rb_setup_ssl_server(const char *cert, const char *keyfile, const char *dhfile, const char *cipher_list) { int ret; const char *err; gnutls_datum_t *d_cert, *d_key; if(cert == NULL) { rb_lib_log("rb_setup_ssl_server: No certificate file"); return 0; } if((d_cert = rb_load_file_into_datum_t(cert)) == NULL) { rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", strerror(errno)); return 0; } if((d_key = rb_load_file_into_datum_t(keyfile)) == NULL) { rb_lib_log("rb_setup_ssl_server: Error loading key: %s", strerror(errno)); return 0; } /* In addition to creating the certificate set, we also need to store our cert elsewhere * so we can force GnuTLS to identify with it when acting as a client. */ gnutls_x509_privkey_init(&x509_key); if ((ret = gnutls_x509_privkey_import(x509_key, d_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS) { rb_lib_log("rb_setup_ssl_server: Error loading key file: %s", gnutls_strerror(ret)); return 0; } x509_cert_count = MAX_CERTS; if ((ret = gnutls_x509_crt_list_import(x509_cert, &x509_cert_count, d_cert, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED)) < 0) { rb_lib_log("rb_setup_ssl_server: Error loading certificate: %s", gnutls_strerror(ret)); return 0; } x509_cert_count = ret; if((ret = gnutls_certificate_set_x509_key_mem(x509, d_cert, d_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS) { rb_lib_log("rb_setup_ssl_server: Error loading certificate or key file: %s", gnutls_strerror(ret)); return 0; } rb_free_datum_t(d_cert); rb_free_datum_t(d_key); if(dhfile != NULL) { if(gnutls_dh_params_init(&dh_params) == GNUTLS_E_SUCCESS) { gnutls_datum_t *data; int xret; data = rb_load_file_into_datum_t(dhfile); if(data != NULL) { xret = gnutls_dh_params_import_pkcs3(dh_params, data, GNUTLS_X509_FMT_PEM); if(xret < 0) rb_lib_log ("rb_setup_ssl_server: Error parsing DH file: %s\n", gnutls_strerror(xret)); rb_free_datum_t(data); } gnutls_certificate_set_dh_params(x509, dh_params); } else rb_lib_log("rb_setup_ssl_server: Unable to setup DH parameters"); } ret = gnutls_priority_init(&default_priority, cipher_list, &err); if (ret < 0) { rb_lib_log("rb_setup_ssl_server: syntax error (using defaults instead) in ssl cipher list at: %s", err); gnutls_priority_init(&default_priority, NULL, &err); return 1; } return 1; }
/* Load the certificate and the private key. */ static void load_keys (void) { unsigned int crt_num; int ret; unsigned int i; gnutls_datum_t data = { NULL, 0 }; gnutls_x509_crt_t crt_list[MAX_CRT]; unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE]; if (x509_certfile != NULL && x509_keyfile != NULL) { #ifdef ENABLE_PKCS11 if (strncmp (x509_certfile, "pkcs11:", 7) == 0) { crt_num = 1; gnutls_x509_crt_init (&crt_list[0]); gnutls_x509_crt_set_pin_function(crt_list[0], pin_callback, NULL); ret = gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, 0); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ret = gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } x509_crt_size = 1; } else #endif /* ENABLE_PKCS11 */ { ret = gnutls_load_file (x509_certfile, &data); if (ret < 0) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } crt_num = MAX_CRT; ret = gnutls_x509_crt_list_import (crt_list, &crt_num, &data, x509ctype, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (ret < 0) { if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { fprintf (stderr, "*** Error loading cert file: Too many certs %d\n", crt_num); } else { fprintf (stderr, "*** Error loading cert file: %s\n", gnutls_strerror (ret)); } exit (1); } x509_crt_size = ret; } for (i=0;i<x509_crt_size;i++) { ret = gnutls_pcert_import_x509(&x509_crt[i], crt_list[i], 0); if (ret < 0) { fprintf(stderr, "*** Error importing crt to pcert: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_deinit(crt_list[i]); } gnutls_free (data.data); ret = gnutls_privkey_init(&x509_key); if (ret < 0) { fprintf (stderr, "*** Error initializing key: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_privkey_set_pin_function(x509_key, pin_callback, NULL); if (gnutls_url_is_supported(x509_keyfile) != 0) { ret = gnutls_privkey_import_url (x509_key, x509_keyfile, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } } else { ret = gnutls_load_file (x509_keyfile, &data); if (ret < 0) { fprintf (stderr, "*** Error loading key file.\n"); exit (1); } ret = gnutls_privkey_import_x509_raw( x509_key, &data, x509ctype, NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_free(data.data); } fprintf (stdout, "Processed %d client X.509 certificates...\n", x509_crt_size); } #ifdef ENABLE_OPENPGP if (HAVE_OPT(PGPSUBKEY)) { get_keyid (keyid, OPT_ARG(PGPSUBKEY)); } if (pgp_certfile != NULL && pgp_keyfile != NULL) { gnutls_openpgp_crt_t tmp_pgp_crt; ret = gnutls_load_file (pgp_certfile, &data); if (ret < 0) { fprintf (stderr, "*** Error loading PGP cert file.\n"); exit (1); } gnutls_openpgp_crt_init (&tmp_pgp_crt); ret = gnutls_pcert_import_openpgp_raw (&pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64, HAVE_OPT(PGPSUBKEY)?keyid:NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading PGP cert file: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_free (data.data); ret = gnutls_privkey_init(&pgp_key); if (ret < 0) { fprintf (stderr, "*** Error initializing key: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_privkey_set_pin_function(pgp_key, pin_callback, NULL); if (gnutls_url_is_supported (pgp_keyfile)) { ret = gnutls_privkey_import_url( pgp_key, pgp_keyfile, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } } else { ret = gnutls_load_file (pgp_keyfile, &data); if (ret < 0) { fprintf (stderr, "*** Error loading key file.\n"); exit (1); } if (HAVE_OPT(PGPSUBKEY)) ret = gnutls_privkey_import_openpgp_raw( pgp_key, &data, x509ctype, keyid, NULL); else ret = gnutls_privkey_import_openpgp_raw( pgp_key, &data, x509ctype, NULL, NULL); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_free(data.data); } fprintf (stdout, "Processed 1 client PGP certificate...\n"); } #endif }