/*- * gnutls_openpgp_fingerprint: * @cert: the raw data that contains the OpenPGP public key. * @fpr: the buffer to save the fingerprint. * @fprlen: the integer to save the length of the fingerprint. * * Returns the fingerprint of the OpenPGP key. Depence on the algorithm, * the fingerprint can be 16 or 20 bytes. -*/ int _gnutls_openpgp_fingerprint(const gnutls_datum_t * cert, unsigned char *fpr, size_t * fprlen) { gnutls_openpgp_crt_t key; int ret; ret = gnutls_openpgp_crt_init(&key); if (ret < 0) { gnutls_assert(); return ret; } ret = gnutls_openpgp_crt_import(key, cert, GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { gnutls_assert(); return ret; } ret = gnutls_openpgp_crt_get_fingerprint(key, fpr, fprlen); gnutls_openpgp_crt_deinit(key); if (ret < 0) { gnutls_assert(); return ret; } return 0; }
/*- * gnutls_openpgp_get_raw_key_expiration_time: * @cert: the raw data that contains the OpenPGP public key. * * Returns the time when the OpenPGP key expires. A value of '0' means * that the key doesn't expire at all. -*/ time_t _gnutls_openpgp_get_raw_key_expiration_time(const gnutls_datum_t * cert) { gnutls_openpgp_crt_t key; int ret; time_t tim; ret = gnutls_openpgp_crt_init(&key); if (ret < 0) { gnutls_assert(); return ret; } ret = gnutls_openpgp_crt_import(key, cert, GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { gnutls_assert(); return ret; } tim = gnutls_openpgp_crt_get_expiration_time(key); gnutls_openpgp_crt_deinit(key); return tim; }
static void print_openpgp_info_compact(gnutls_session_t session) { gnutls_openpgp_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; int ret; cert_list = gnutls_certificate_get_peers(session, &cert_list_size); if (cert_list_size > 0) { gnutls_datum_t cinfo; gnutls_openpgp_crt_init(&crt); ret = gnutls_openpgp_crt_import(crt, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret)); return; } ret = gnutls_openpgp_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo); if (ret == 0) { printf("- OpenPGP cert: %s\n", cinfo.data); gnutls_free(cinfo.data); } gnutls_openpgp_crt_deinit(crt); } }
/** * gnutls_pcert_import_openpgp_raw: * @pcert: The pcert structure * @cert: The raw certificate to be imported * @format: The format of the certificate * @keyid: The key ID to use (NULL for the master key) * @flags: zero for now * * This convenience function will import the given certificate to a * #gnutls_pcert_st structure. The structure must be deinitialized * afterwards using gnutls_pcert_deinit(); * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. **/ int gnutls_pcert_import_openpgp_raw (gnutls_pcert_st *pcert, const gnutls_datum_t* cert, gnutls_openpgp_crt_fmt_t format, gnutls_openpgp_keyid_t keyid, unsigned int flags) { int ret; gnutls_openpgp_crt_t crt; memset(pcert, 0, sizeof(*pcert)); pcert->cert.data = NULL; ret = gnutls_openpgp_crt_init(&crt); if (ret < 0) return gnutls_assert_val(ret); ret = gnutls_openpgp_crt_import(crt, cert, format); if (ret < 0) { ret = gnutls_assert_val(ret); goto cleanup; } if (keyid != NULL) { ret = gnutls_openpgp_crt_set_preferred_key_id(crt, keyid); if (ret < 0) { ret = gnutls_assert_val(ret); goto cleanup; } } ret = gnutls_pcert_import_openpgp(pcert, crt, flags); if (ret < 0) { ret = gnutls_assert_val(ret); goto cleanup; } ret = 0; cleanup: gnutls_openpgp_crt_deinit(crt); return ret; }
/** * gnutls_openpgp_keyring_get_crt: * @ring: Holds the keyring. * @idx: the index of the certificate to export * @cert: An uninitialized #gnutls_openpgp_crt_t structure * * This function will extract an OpenPGP certificate from the given * keyring. If the index given is out of range * %GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. The * returned structure needs to be deinited. * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int gnutls_openpgp_keyring_get_crt (gnutls_openpgp_keyring_t ring, unsigned int idx, gnutls_openpgp_crt_t * cert) { cdk_kbnode_t knode; cdk_error_t err; int ret = 0; unsigned int count = 0; cdk_keydb_search_t st; err = cdk_keydb_search_start (&st, ring->db, CDK_DBSEARCH_NEXT, NULL); if (err != CDK_Success) { gnutls_assert (); return _gnutls_map_cdk_rc (err); } do { err = cdk_keydb_search (st, ring->db, &knode); if (err != CDK_EOF && err != CDK_Success) { gnutls_assert (); cdk_keydb_search_release (st); return _gnutls_map_cdk_rc (err); } if (idx == count && err == CDK_Success) { ret = gnutls_openpgp_crt_init (cert); if (ret == 0) (*cert)->knode = knode; cdk_keydb_search_release (st); return ret; } if (knode_is_pkey (knode)) count++; cdk_kbnode_release (knode); } while (err != CDK_EOF); cdk_keydb_search_release (st); return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; }
/* returns true or false, depending on whether the hostname * matches to certificate */ static int verify_openpgp_hostname (gnutls_session_t session, const char *hostname) { gnutls_openpgp_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; int ret; cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list_size == 0) { fprintf (stderr, "No certificates found!\n"); return 0; } gnutls_openpgp_crt_init (&crt); ret = gnutls_openpgp_crt_import (crt, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); return 0; } /* Check the hostname of the first certificate if it matches * the name of the host we connected to. */ if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0) { printf ("- The hostname in the certificate does NOT match '%s'\n", hostname); ret = 0; } else { printf ("- The hostname in the certificate matches '%s'.\n", hostname); ret = 1; } gnutls_openpgp_crt_deinit (crt); return ret; }
/*- * _gnutls_openpgp_raw_crt_to_gcert - Converts raw OpenPGP data to GnuTLS certs * @cert: the certificate to store the data. * @raw: the buffer which contains the whole OpenPGP key packets. * * The RFC2440 (OpenPGP Message Format) data is converted to a GnuTLS * specific certificate. -*/ int _gnutls_openpgp_raw_crt_to_gcert (gnutls_cert * gcert, const gnutls_datum_t * raw, const gnutls_openpgp_keyid_t keyid) { gnutls_openpgp_crt_t pcrt; int ret; ret = gnutls_openpgp_crt_init (&pcrt); if (ret < 0) { gnutls_assert (); return ret; } ret = gnutls_openpgp_crt_import (pcrt, raw, GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { gnutls_assert (); gnutls_openpgp_crt_deinit (pcrt); return ret; } if (keyid != NULL) { ret = gnutls_openpgp_crt_set_preferred_key_id (pcrt, keyid); if (ret < 0) { gnutls_assert (); gnutls_openpgp_crt_deinit (pcrt); return ret; } } ret = _gnutls_openpgp_crt_to_gcert (gcert, pcrt); gnutls_openpgp_crt_deinit (pcrt); return ret; }
/* Load the certificate and the private key. */ static void load_keys (void) { unsigned int crt_num; int ret; gnutls_datum_t data; if (x509_certfile != NULL && x509_keyfile != NULL) { data = load_file (x509_certfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } crt_num = MAX_CRT; ret = gnutls_x509_crt_list_import (x509_crt, &crt_num, &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (ret < 0) { if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { fprintf (stderr, "*** Error loading cert file: Too many certs %d\n", crt_num); } else { fprintf (stderr, "*** Error loading cert file: %s\n", gnutls_strerror (ret)); } exit (1); } x509_crt_size = ret; fprintf (stderr, "Processed %d client certificates...\n", ret); unload_file (data); data = load_file (x509_keyfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading key file.\n"); exit (1); } gnutls_x509_privkey_init (&x509_key); ret = gnutls_x509_privkey_import (x509_key, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf (stderr, "*** Error loading key file: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (data); fprintf (stderr, "Processed %d client X.509 certificates...\n", x509_crt_size); } #ifdef ENABLE_OPENPGP if (pgp_certfile != NULL && pgp_keyfile != NULL) { data = load_file (pgp_certfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading PGP cert file.\n"); exit (1); } gnutls_openpgp_crt_init (&pgp_crt); ret = gnutls_openpgp_crt_import (pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64); if (ret < 0) { fprintf (stderr, "*** Error loading PGP cert file: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (data); data = load_file (pgp_keyfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading PGP key file.\n"); exit (1); } gnutls_openpgp_privkey_init (&pgp_key); ret = gnutls_openpgp_privkey_import (pgp_key, &data, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading PGP key file: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (data); if (info.pgp_subkey != NULL) { gnutls_openpgp_keyid_t keyid; if (strcasecmp (info.pgp_subkey, "auto") == 0) { ret = gnutls_openpgp_crt_get_auth_subkey (pgp_crt, keyid, 1); if (ret < 0) { fprintf (stderr, "*** Error setting preferred sub key id (%s): %s\n", info.pgp_subkey, gnutls_strerror (ret)); exit (1); } } else get_keyid (keyid, info.pgp_subkey); ret = gnutls_openpgp_crt_set_preferred_key_id (pgp_crt, keyid); if (ret >= 0) ret = gnutls_openpgp_privkey_set_preferred_key_id (pgp_key, keyid); if (ret < 0) { fprintf (stderr, "*** Error setting preferred sub key id (%s): %s\n", info.pgp_subkey, gnutls_strerror (ret)); exit (1); } } fprintf (stderr, "Processed 1 client PGP certificate...\n"); } #endif }
/*- * gnutls_openpgp_verify_key: * @hostname: the name of the certificate holder * @cert_list: the structure that holds the certificates. * @cert_list_lenght: the items in the cert_list. * @status: the output of the verification function * * Verify all signatures in the certificate list. When the key * is not available, the signature is skipped. * * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success. * * NOTE: this function does not verify using any "web of trust". You * may use GnuPG for that purpose, or any other external PGP application. -*/ int _gnutls_openpgp_verify_key(const gnutls_certificate_credentials_t cred, gnutls_x509_subject_alt_name_t type, const char *hostname, const gnutls_datum_t * cert_list, int cert_list_length, unsigned int verify_flags, unsigned int *status) { int ret = 0; gnutls_openpgp_crt_t key = NULL; unsigned int verify = 0, verify_self = 0; if (!cert_list || cert_list_length != 1) { gnutls_assert(); return GNUTLS_E_NO_CERTIFICATE_FOUND; } ret = gnutls_openpgp_crt_init(&key); if (ret < 0) { gnutls_assert(); return ret; } ret = gnutls_openpgp_crt_import(key, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { gnutls_assert(); goto leave; } if (cred->keyring != NULL) { ret = gnutls_openpgp_crt_verify_ring(key, cred->keyring, 0, &verify); if (ret < 0) { gnutls_assert(); goto leave; } } /* Now try the self signature. */ ret = gnutls_openpgp_crt_verify_self(key, 0, &verify_self); if (ret < 0) { gnutls_assert(); goto leave; } *status = verify_self | verify; /* If we only checked the self signature. */ if (!cred->keyring) *status |= GNUTLS_CERT_SIGNER_NOT_FOUND; if (hostname) { ret = gnutls_openpgp_crt_check_hostname2(key, hostname, verify_flags); if (ret == 0) *status |= GNUTLS_CERT_UNEXPECTED_OWNER; } ret = 0; leave: gnutls_openpgp_crt_deinit(key); return ret; }
static void print_openpgp_info (gnutls_session_t session, const char *hostname, int insecure) { gnutls_openpgp_crt_t crt; const gnutls_datum_t *cert_list; int cert_list_size = 0; int hostname_ok = 0; int ret; cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list_size > 0) { gnutls_datum_t cinfo; gnutls_openpgp_crt_init (&crt); ret = gnutls_openpgp_crt_import (crt, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); return; } if (verbose) ret = gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_FULL, &cinfo); else ret = gnutls_openpgp_crt_print (crt, GNUTLS_CRT_PRINT_ONELINE, &cinfo); if (ret == 0) { printf (" - %s\n", cinfo.data); gnutls_free (cinfo.data); } if (print_cert) { size_t size = 0; char *p = NULL; ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64, p, &size); if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { p = malloc (size); if (!p) { fprintf (stderr, "gnutls_malloc\n"); exit (1); } ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64, p, &size); } if (ret < 0) { fprintf (stderr, "Encoding error: %s\n", gnutls_strerror (ret)); return; } fputs (p, stdout); fputs ("\n", stdout); gnutls_free (p); } if (hostname != NULL) { /* Check the hostname of the first certificate if it matches * the name of the host we connected to. */ if (gnutls_openpgp_crt_check_hostname (crt, hostname) == 0) hostname_ok = 1; else hostname_ok = 2; } gnutls_openpgp_crt_deinit (crt); } if (hostname_ok == 1) { printf ("- The hostname in the certificate does NOT match '%s'\n", hostname); if (!insecure) exit (1); } else if (hostname_ok == 2) { printf ("- The hostname in the certificate matches '%s'.\n", hostname); } }
/** * gnutls_certificate_set_openpgp_key_mem2 - Used to set OpenPGP keys * @res: the destination context to save the data. * @cert: the datum that contains the public key. * @key: the datum that contains the secret key. * @subkey_id: a hex encoded subkey id * @format: the format of the keys * * This funtion is used to load OpenPGP keys into the GnuTLS * credentials structure. The files should only contain one key which * is not encrypted. * * The special keyword "auto" is also accepted as @subkey_id. In that * case the gnutls_openpgp_crt_get_auth_subkey() will be used to * retrieve the subkey. * * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a * negative error value. * * Since: 2.4.0 **/ int gnutls_certificate_set_openpgp_key_mem2 (gnutls_certificate_credentials_t res, const gnutls_datum_t * cert, const gnutls_datum_t * key, const char *subkey_id, gnutls_openpgp_crt_fmt_t format) { gnutls_openpgp_privkey_t pkey; gnutls_openpgp_crt_t crt; int ret; ret = gnutls_openpgp_privkey_init (&pkey); if (ret < 0) { gnutls_assert (); return ret; } ret = gnutls_openpgp_privkey_import (pkey, key, format, NULL, 0); if (ret < 0) { gnutls_assert (); gnutls_openpgp_privkey_deinit (pkey); return ret; } ret = gnutls_openpgp_crt_init (&crt); if (ret < 0) { gnutls_assert (); gnutls_openpgp_privkey_deinit (pkey); return ret; } ret = gnutls_openpgp_crt_import (crt, cert, format); if (ret < 0) { gnutls_assert (); gnutls_openpgp_privkey_deinit (pkey); gnutls_openpgp_crt_deinit (crt); return ret; } if (subkey_id != NULL) { gnutls_openpgp_keyid_t keyid; if (strcasecmp (subkey_id, "auto") == 0) ret = gnutls_openpgp_crt_get_auth_subkey (crt, keyid, 1); else ret = get_keyid (keyid, subkey_id); if (ret >= 0) { ret = gnutls_openpgp_crt_set_preferred_key_id (crt, keyid); if (ret >= 0) ret = gnutls_openpgp_privkey_set_preferred_key_id (pkey, keyid); } if (ret < 0) { gnutls_assert (); gnutls_openpgp_privkey_deinit (pkey); gnutls_openpgp_crt_deinit (crt); return ret; } } ret = gnutls_certificate_set_openpgp_key (res, crt, pkey); gnutls_openpgp_privkey_deinit (pkey); gnutls_openpgp_crt_deinit (crt); return ret; }
void doit(void) { gnutls_x509_crt_t x509; #ifdef ENABLE_OPENPGP gnutls_openpgp_crt_t pgp; #endif gnutls_datum_t data; int ret; ret = global_init(); if (ret < 0) fail("global_init: %d\n", ret); ret = gnutls_x509_crt_init(&x509); if (ret < 0) fail("gnutls_x509_crt_init: %d\n", ret); #ifdef ENABLE_OPENPGP ret = gnutls_openpgp_crt_init(&pgp); if (ret < 0) fail("gnutls_openpgp_crt_init: %d\n", ret); #endif if (debug) success("Testing wildcards...\n"); data.data = (unsigned char *) wildcards; data.size = strlen(wildcards); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.net"); if (ret==0) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); if (debug) success("Testing pem1...\n"); data.data = (unsigned char *) pem1; data.size = strlen(pem1); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); if (debug) success("Testing pem2...\n"); data.data = (unsigned char *) pem2; data.size = strlen(pem2); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "*.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); if (debug) success("Testing pem3...\n"); data.data = (unsigned char *) pem3; data.size = strlen(pem3); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "*.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); if (debug) success("Testing pem4...\n"); data.data = (unsigned char *) pem4; data.size = strlen(pem4); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname2(x509, "www.example.org", GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo.example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); #ifdef SUPPORT_COMPLEX_WILDCARDS if (debug) success("Testing pem6...\n"); data.data = (unsigned char *) pem6; data.size = strlen(pem6); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "bar.foo.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); if (debug) success("Testing pem7...\n"); data.data = (unsigned char *) pem7; data.size = strlen(pem7); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo.bar.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foobar.bar.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foobar.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foobazbar.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); #endif if (debug) success("Testing pem8...\n"); data.data = (unsigned char *) pem8; data.size = strlen(pem8); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); /* this was passing in old gnutls versions, but that was not a * good idea. See http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380 * for a discussion. */ ret = gnutls_x509_crt_check_hostname(x509, "www.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example."); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); /* this was passing in old gnutls versions, but that was not a * good idea. See http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/7380 * for a discussion. */ ret = gnutls_x509_crt_check_hostname(x509, "www.example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.foo.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); if (debug) success("Testing pem9...\n"); data.data = (unsigned char *) pem9; data.size = strlen(pem9); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "foo.example.org"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "bar.example.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); if (debug) success("Testing pem10...\n"); data.data = (unsigned char *) pem10; data.size = strlen(pem10); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "localhost"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); if (debug) success("Testing pem_too_many...\n"); data.data = (unsigned char *) pem_too_many; data.size = strlen(pem_too_many); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "localhost.gnutls.gnutls.org"); if (ret) fail("%d: Hostname verification should have failed (too many wildcards)\n", __LINE__); if (debug) success("Testing pem-ips...\n"); data.data = (unsigned char *) pem_ips; data.size = strlen(pem_ips); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "127.0.0.2"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "127.0.0.1"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "192.168.5.1"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "::1"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "fe80::3e97:eff:fe18:359a"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); if (debug) success("Testing multi-cns...\n"); data.data = (unsigned char *) multi_cns; data.size = strlen(multi_cns); ret = gnutls_x509_crt_import(x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("%d: gnutls_x509_crt_import: %d\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example2.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); ret = gnutls_x509_crt_check_hostname(x509, "www.example3.com"); if (ret) fail("%d: Hostname incorrectly matches (%d)\n", __LINE__, ret); #ifdef ENABLE_OPENPGP if (debug) success("Testing pem11...\n"); data.data = (unsigned char *) pem11; data.size = strlen(pem11); ret = gnutls_openpgp_crt_import(pgp, &data, GNUTLS_OPENPGP_FMT_BASE64); if (ret < 0) fail("%d: gnutls_openpgp_crt_import: %d\n", __LINE__, ret); ret = gnutls_openpgp_crt_check_hostname(pgp, "test.gnutls.org"); if (!ret) fail("%d: Hostname incorrectly does not match (%d)\n", __LINE__, ret); gnutls_openpgp_crt_deinit(pgp); #endif gnutls_x509_crt_deinit(x509); gnutls_global_deinit(); }
static int pgp_crt_to_raw_pubkey(const gnutls_datum_t * cert, gnutls_datum_t *rpubkey) { #ifdef ENABLE_OPENPGP gnutls_openpgp_crt_t crt = NULL; gnutls_pubkey_t pubkey = NULL; size_t size; int ret; ret = gnutls_openpgp_crt_init(&crt); if (ret < 0) return gnutls_assert_val(ret); ret = gnutls_pubkey_init(&pubkey); if (ret < 0) { gnutls_assert(); goto cleanup; } ret = gnutls_openpgp_crt_import(crt, cert, GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { gnutls_assert(); goto cleanup; } ret = gnutls_pubkey_import_openpgp (pubkey, crt, 0); if (ret < 0) { gnutls_assert(); goto cleanup; } size = 0; ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, NULL, &size); if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { gnutls_assert(); goto cleanup; } rpubkey->data = gnutls_malloc(size); if (rpubkey->data == NULL) if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { ret = GNUTLS_E_MEMORY_ERROR; gnutls_assert(); goto cleanup; } ret = gnutls_pubkey_export(pubkey, GNUTLS_X509_FMT_DER, rpubkey->data, &size); if (ret < 0) { gnutls_free(rpubkey->data); gnutls_assert(); goto cleanup; } rpubkey->size = size; ret = 0; cleanup: gnutls_openpgp_crt_deinit(crt); gnutls_pubkey_deinit(pubkey); return ret; #else return GNUTLS_E_UNIMPLEMENTED_FEATURE; #endif }
void doit (void) { gnutls_x509_crt_t x509; #ifdef ENABLE_OPENPGP gnutls_openpgp_crt_t pgp; #endif gnutls_datum_t data; int ret; ret = gnutls_global_init (); if (ret < 0) fail ("gnutls_global_init: %d\n", ret); ret = gnutls_x509_crt_init (&x509); if (ret < 0) fail ("gnutls_x509_crt_init: %d\n", ret); #ifdef ENABLE_OPENPGP ret = gnutls_openpgp_crt_init (&pgp); if (ret < 0) fail ("gnutls_openpgp_crt_init: %d\n", ret); #endif if (debug) success ("Testing pem1...\n"); data.data = pem1; data.size = strlen (pem1); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem2...\n"); data.data = pem2; data.size = strlen (pem2); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "*.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem3...\n"); data.data = pem3; data.size = strlen (pem3); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "*.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem4...\n"); data.data = pem4; data.size = strlen (pem4); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo.example.com"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem5...\n"); data.data = pem5; data.size = strlen (pem5); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "1.2.3.4"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem6...\n"); data.data = pem6; data.size = strlen (pem6); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "bar.foo.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); if (debug) success ("Testing pem7...\n"); data.data = pem7; data.size = strlen (pem7); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo.bar.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foobar.bar.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foobar.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foobazbar.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); if (debug) success ("Testing pem8...\n"); data.data = pem8; data.size = strlen (pem8); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example."); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.com"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "www.example.foo.com"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); if (debug) success ("Testing pem9...\n"); data.data = pem9; data.size = strlen (pem9); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "foo.example.org"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "bar.example.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); if (debug) success ("Testing pem10...\n"); data.data = pem10; data.size = strlen (pem10); ret = gnutls_x509_crt_import (x509, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) fail ("gnutls_x509_crt_import: %d\n", ret); ret = gnutls_x509_crt_check_hostname (x509, "localhost"); if (ret) fail ("Hostname incorrectly matches (%d)\n", ret); #ifdef ENABLE_OPENPGP if (debug) success ("Testing pem11...\n"); data.data = pem11; data.size = strlen (pem11); ret = gnutls_openpgp_crt_import (pgp, &data, GNUTLS_OPENPGP_FMT_BASE64); if (ret < 0) fail ("gnutls_openpgp_crt_import: %d\n", ret); ret = gnutls_openpgp_crt_check_hostname (pgp, "test.gnutls.org"); if (!ret) fail ("Hostname incorrectly does not match (%d)\n", ret); gnutls_openpgp_crt_deinit (pgp); #endif gnutls_x509_crt_deinit (x509); gnutls_global_deinit (); }
/* Load the certificate and the private key. */ static void load_keys (void) { unsigned int crt_num; int ret, i; gnutls_datum_t data = { NULL, 0 }; gnutls_x509_crt_t crt_list[MAX_CRT]; #ifdef ENABLE_PKCS11 gnutls_pkcs11_privkey_t pkcs11_key; #endif gnutls_x509_privkey_t tmp_key; unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE]; if (x509_certfile != NULL && x509_keyfile != NULL) { #ifdef ENABLE_PKCS11 if (strncmp (x509_certfile, "pkcs11:", 7) == 0) { crt_num = 1; gnutls_x509_crt_init (&crt_list[0]); ret = gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, 0); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ret = gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } x509_crt_size = 1; } else #endif /* ENABLE_PKCS11 */ { data = load_file (x509_certfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } crt_num = MAX_CRT; ret = gnutls_x509_crt_list_import (crt_list, &crt_num, &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (ret < 0) { if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { fprintf (stderr, "*** Error loading cert file: Too many certs %d\n", crt_num); } else { fprintf (stderr, "*** Error loading cert file: %s\n", gnutls_strerror (ret)); } exit (1); } x509_crt_size = ret; } for (i=0;i<x509_crt_size;i++) { ret = gnutls_pcert_import_x509(&x509_crt[i], crt_list[i], 0); if (ret < 0) { fprintf(stderr, "*** Error importing crt to pcert: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_deinit(crt_list[i]); } unload_file (&data); ret = gnutls_privkey_init(&x509_key); if (ret < 0) { fprintf (stderr, "*** Error initializing key: %s\n", gnutls_strerror (ret)); exit (1); } #ifdef ENABLE_PKCS11 if (strncmp (x509_keyfile, "pkcs11:", 7) == 0) { gnutls_pkcs11_privkey_init (&pkcs11_key); ret = gnutls_pkcs11_privkey_import_url (pkcs11_key, x509_keyfile, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } ret = gnutls_privkey_import_pkcs11( x509_key, pkcs11_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } } else #endif /* ENABLE_PKCS11 */ { data = load_file (x509_keyfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading key file.\n"); exit (1); } gnutls_x509_privkey_init (&tmp_key); ret = gnutls_x509_privkey_import (tmp_key, &data, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf (stderr, "*** Error loading key file: %s\n", gnutls_strerror (ret)); exit (1); } ret = gnutls_privkey_import_x509( x509_key, tmp_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (&data); } fprintf (stdout, "Processed %d client X.509 certificates...\n", x509_crt_size); } #ifdef ENABLE_OPENPGP if (info.pgp_subkey != NULL) { get_keyid (keyid, info.pgp_subkey); } if (pgp_certfile != NULL && pgp_keyfile != NULL) { gnutls_openpgp_crt_t tmp_pgp_crt; data = load_file (pgp_certfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading PGP cert file.\n"); exit (1); } gnutls_openpgp_crt_init (&tmp_pgp_crt); ret = gnutls_pcert_import_openpgp_raw (&pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64, info.pgp_subkey!=NULL?keyid:NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading PGP cert file: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (&data); ret = gnutls_privkey_init(&pgp_key); if (ret < 0) { fprintf (stderr, "*** Error initializing key: %s\n", gnutls_strerror (ret)); exit (1); } #ifdef ENABLE_PKCS11 if (strncmp (pgp_keyfile, "pkcs11:", 7) == 0) { gnutls_pkcs11_privkey_init (&pkcs11_key); ret = gnutls_pkcs11_privkey_import_url (pkcs11_key, pgp_keyfile, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } ret = gnutls_privkey_import_pkcs11( pgp_key, pkcs11_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } } else #endif /* ENABLE_PKCS11 */ { gnutls_openpgp_privkey_t tmp_pgp_key; data = load_file (pgp_keyfile); if (data.data == NULL) { fprintf (stderr, "*** Error loading PGP key file.\n"); exit (1); } gnutls_openpgp_privkey_init (&tmp_pgp_key); ret = gnutls_openpgp_privkey_import (tmp_pgp_key, &data, GNUTLS_OPENPGP_FMT_BASE64, NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading PGP key file: %s\n", gnutls_strerror (ret)); exit (1); } if (info.pgp_subkey != NULL) { ret = gnutls_openpgp_privkey_set_preferred_key_id (tmp_pgp_key, keyid); if (ret < 0) { fprintf (stderr, "*** Error setting preferred sub key id (%s): %s\n", info.pgp_subkey, gnutls_strerror (ret)); exit (1); } } ret = gnutls_privkey_import_openpgp( pgp_key, tmp_pgp_key, GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } unload_file (&data); } fprintf (stdout, "Processed 1 client PGP certificate...\n"); } #endif }
static void print_openpgp_info (gnutls_session_t session, int flag, int print_cert) { gnutls_openpgp_crt_t crt; const gnutls_datum_t *cert_list; unsigned int cert_list_size = 0; int ret; printf ("- Certificate type: OpenPGP\n"); cert_list = gnutls_certificate_get_peers (session, &cert_list_size); if (cert_list_size > 0) { gnutls_datum_t cinfo; gnutls_openpgp_crt_init (&crt); ret = gnutls_openpgp_crt_import (crt, &cert_list[0], GNUTLS_OPENPGP_FMT_RAW); if (ret < 0) { fprintf (stderr, "Decoding error: %s\n", gnutls_strerror (ret)); return; } ret = gnutls_openpgp_crt_print (crt, flag, &cinfo); if (ret == 0) { printf ("- %s\n", cinfo.data); gnutls_free (cinfo.data); } if (print_cert) { size_t size = 0; char *p = NULL; ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64, p, &size); if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { p = malloc (size); if (!p) { fprintf (stderr, "gnutls_malloc\n"); exit (1); } ret = gnutls_openpgp_crt_export (crt, GNUTLS_OPENPGP_FMT_BASE64, p, &size); } if (ret < 0) { fprintf (stderr, "Encoding error: %s\n", gnutls_strerror (ret)); return; } fputs (p, stdout); fputs ("\n", stdout); gnutls_free (p); } gnutls_openpgp_crt_deinit (crt); } }
/* Load the certificate and the private key. */ static void load_keys (void) { unsigned int crt_num; int ret; unsigned int i; gnutls_datum_t data = { NULL, 0 }; gnutls_x509_crt_t crt_list[MAX_CRT]; unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE]; if (x509_certfile != NULL && x509_keyfile != NULL) { #ifdef ENABLE_PKCS11 if (strncmp (x509_certfile, "pkcs11:", 7) == 0) { crt_num = 1; gnutls_x509_crt_init (&crt_list[0]); gnutls_x509_crt_set_pin_function(crt_list[0], pin_callback, NULL); ret = gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, 0); if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) ret = gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, GNUTLS_PKCS11_OBJ_FLAG_LOGIN); if (ret < 0) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } x509_crt_size = 1; } else #endif /* ENABLE_PKCS11 */ { ret = gnutls_load_file (x509_certfile, &data); if (ret < 0) { fprintf (stderr, "*** Error loading cert file.\n"); exit (1); } crt_num = MAX_CRT; ret = gnutls_x509_crt_list_import (crt_list, &crt_num, &data, x509ctype, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); if (ret < 0) { if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { fprintf (stderr, "*** Error loading cert file: Too many certs %d\n", crt_num); } else { fprintf (stderr, "*** Error loading cert file: %s\n", gnutls_strerror (ret)); } exit (1); } x509_crt_size = ret; } for (i=0;i<x509_crt_size;i++) { ret = gnutls_pcert_import_x509(&x509_crt[i], crt_list[i], 0); if (ret < 0) { fprintf(stderr, "*** Error importing crt to pcert: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_deinit(crt_list[i]); } gnutls_free (data.data); ret = gnutls_privkey_init(&x509_key); if (ret < 0) { fprintf (stderr, "*** Error initializing key: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_privkey_set_pin_function(x509_key, pin_callback, NULL); if (gnutls_url_is_supported(x509_keyfile) != 0) { ret = gnutls_privkey_import_url (x509_key, x509_keyfile, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } } else { ret = gnutls_load_file (x509_keyfile, &data); if (ret < 0) { fprintf (stderr, "*** Error loading key file.\n"); exit (1); } ret = gnutls_privkey_import_x509_raw( x509_key, &data, x509ctype, NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_free(data.data); } fprintf (stdout, "Processed %d client X.509 certificates...\n", x509_crt_size); } #ifdef ENABLE_OPENPGP if (HAVE_OPT(PGPSUBKEY)) { get_keyid (keyid, OPT_ARG(PGPSUBKEY)); } if (pgp_certfile != NULL && pgp_keyfile != NULL) { gnutls_openpgp_crt_t tmp_pgp_crt; ret = gnutls_load_file (pgp_certfile, &data); if (ret < 0) { fprintf (stderr, "*** Error loading PGP cert file.\n"); exit (1); } gnutls_openpgp_crt_init (&tmp_pgp_crt); ret = gnutls_pcert_import_openpgp_raw (&pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64, HAVE_OPT(PGPSUBKEY)?keyid:NULL, 0); if (ret < 0) { fprintf (stderr, "*** Error loading PGP cert file: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_free (data.data); ret = gnutls_privkey_init(&pgp_key); if (ret < 0) { fprintf (stderr, "*** Error initializing key: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_privkey_set_pin_function(pgp_key, pin_callback, NULL); if (gnutls_url_is_supported (pgp_keyfile)) { ret = gnutls_privkey_import_url( pgp_key, pgp_keyfile, 0); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } } else { ret = gnutls_load_file (pgp_keyfile, &data); if (ret < 0) { fprintf (stderr, "*** Error loading key file.\n"); exit (1); } if (HAVE_OPT(PGPSUBKEY)) ret = gnutls_privkey_import_openpgp_raw( pgp_key, &data, x509ctype, keyid, NULL); else ret = gnutls_privkey_import_openpgp_raw( pgp_key, &data, x509ctype, NULL, NULL); if (ret < 0) { fprintf (stderr, "*** Error loading url: %s\n", gnutls_strerror (ret)); exit (1); } gnutls_free(data.data); } fprintf (stdout, "Processed 1 client PGP certificate...\n"); } #endif }