ne_ssl_certificate *ne_ssl_cert_import(const char *data)
{
int ret;
size_t len;
unsigned char *der;
gnutls_datum buffer = { NULL, 0 };
gnutls_x509_crt x5;
if (gnutls_x509_crt_init(&x5) != 0)
return NULL;
/* decode the base64 to get the raw DER representation */
len = ne_unbase64(data, &der);
if (len == 0) return NULL;
buffer.data = der;
buffer.size = len;
ret = gnutls_x509_crt_import(x5, &buffer, GNUTLS_X509_FMT_DER);
ne_free(der);
if (ret < 0) {
gnutls_x509_crt_deinit(x5);
return NULL;
}
return populate_cert(ne_calloc(sizeof(struct ne_ssl_certificate_s)), x5);
}
static void build_gnutls_cert_list(HevImpathyTLSVerifier *self)
{
HevImpathyTLSVerifierPrivate *priv =
HEV_IMPATHY_TLS_VERIFIER_GET_PRIVATE(self);
guint num_certs = 0;
guint idx = 0;
GPtrArray *certificate_data = NULL;
g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__);
g_object_get(priv->certificate, "cert-data",
&certificate_data, NULL);
num_certs = certificate_data->len;
priv->cert_chain = g_ptr_array_new_with_free_func(
(GDestroyNotify)gnutls_x509_crt_deinit);
for(idx=0; idx<num_certs; idx++)
{
gnutls_x509_crt_t cert = 0;
GArray *one_cert = NULL;
gnutls_datum_t datum = { NULL, 0 };
one_cert = g_ptr_array_index(certificate_data, idx);
datum.data = (guchar *)one_cert->data;
datum.size = one_cert->len;
gnutls_x509_crt_init(&cert);
gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER);
g_ptr_array_add(priv->cert_chain, cert);
}
}
int
tls_import_cert(const uschar * buf, void ** cert)
{
void * reset_point = store_get(0);
gnutls_datum_t datum;
gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
int fail = 0;
if (crt)
gnutls_x509_crt_deinit(crt);
else
gnutls_global_init();
gnutls_x509_crt_init(&crt);
datum.data = string_unprinting(US buf);
datum.size = Ustrlen(datum.data);
if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
{
log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
gnutls_strerror(fail));
fail = 1;
}
else
*cert = (void *)crt;
store_reset(reset_point);
return fail;
}
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
gnutls_x509_crt_t cert;
gnutls_digest_algorithm_t algo;
unsigned int cert_list_size;
const gnutls_datum_t *cert_list;
uint8_t digest[RB_SSL_CERTFP_LEN * 2];
size_t digest_size;
int len;
if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
return 0;
if (gnutls_x509_crt_init(&cert) < 0)
return 0;
cert_list_size = 0;
cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
if (cert_list == NULL)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
switch(method)
{
case RB_SSL_CERTFP_METH_SHA1:
algo = GNUTLS_DIG_SHA1;
len = RB_SSL_CERTFP_LEN_SHA1;
break;
case RB_SSL_CERTFP_METH_SHA256:
algo = GNUTLS_DIG_SHA256;
len = RB_SSL_CERTFP_LEN_SHA256;
break;
case RB_SSL_CERTFP_METH_SHA512:
algo = GNUTLS_DIG_SHA512;
len = RB_SSL_CERTFP_LEN_SHA512;
break;
default:
return 0;
}
if (gnutls_x509_crt_get_fingerprint(cert, algo, digest, &digest_size) < 0)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
memcpy(certfp, digest, len);
gnutls_x509_crt_deinit(cert);
return len;
}
/* Loads the CA's certificate
*/
gnutls_x509_crt_t
load_ca_cert (common_info_st * info)
{
gnutls_x509_crt_t crt;
int ret;
gnutls_datum_t dat;
size_t size;
if (info->ca == NULL)
error (EXIT_FAILURE, 0, "missing --load-ca-certificate");
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));
dat.data = read_binary_file (info->ca, &size);
dat.size = size;
if (!dat.data)
error (EXIT_FAILURE, errno, "reading --load-ca-certificate: %s",
info->ca);
ret = gnutls_x509_crt_import (crt, &dat, info->incert_format);
free (dat.data);
if (ret < 0)
error (EXIT_FAILURE, 0, "importing --load-ca-certificate: %s: %s",
info->ca, gnutls_strerror (ret));
return crt;
}
/** Transforms a gnutls_datum containing an X.509 certificate into a Certificate instance under the x509_gnutls scheme
*
* @param dt Datum to transform
* @param mode GnuTLS certificate format specifier (GNUTLS_X509_FMT_PEM for
* reading from files, and GNUTLS_X509_FMT_DER for converting
* "over the wire" certs for SSL)
*
* @return A newly allocated Certificate structure of the x509_gnutls scheme
*/
static PurpleCertificate *
x509_import_from_datum(const gnutls_datum_t dt, gnutls_x509_crt_fmt_t mode)
{
/* Internal certificate data structure */
x509_crtdata_t *certdat;
/* New certificate to return */
PurpleCertificate * crt;
/* Allocate and prepare the internal certificate data */
certdat = g_new0(x509_crtdata_t, 1);
if (gnutls_x509_crt_init(&(certdat->crt)) != 0) {
g_free(certdat);
return NULL;
}
certdat->refcount = 0;
/* Perform the actual certificate parse */
/* Yes, certdat->crt should be passed as-is */
if (gnutls_x509_crt_import(certdat->crt, &dt, mode) != 0) {
g_free(certdat);
return NULL;
}
/* Allocate the certificate and load it with data */
crt = g_new0(PurpleCertificate, 1);
crt->scheme = &x509_gnutls;
crt->data = x509_crtdata_addref(certdat);
return crt;
}
/**
* gnutls_pcert_import_x509_raw:
* @pcert: The pcert structure
* @cert: The raw certificate to be imported
* @format: The format of the certificate
* @flags: zero for now
*
* This convenience function will import the given certificate to a
* #gnutls_pcert_st structure. The structure must be deinitialized
* afterwards using gnutls_pcert_deinit();
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int gnutls_pcert_import_x509_raw (gnutls_pcert_st *pcert,
const gnutls_datum_t* cert,
gnutls_x509_crt_fmt_t format, unsigned int flags)
{
int ret;
gnutls_x509_crt_t crt;
memset(pcert, 0, sizeof(*pcert));
ret = gnutls_x509_crt_init(&crt);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_x509_crt_import(crt, cert, format);
if (ret < 0)
{
ret = gnutls_assert_val(ret);
goto cleanup;
}
ret = gnutls_pcert_import_x509(pcert, crt, flags);
if (ret < 0)
{
ret = gnutls_assert_val(ret);
goto cleanup;
}
ret = 0;
cleanup:
gnutls_x509_crt_deinit(crt);
return ret;
}
int
main (void)
{
gnutls_x509_crt_t crt;
gnutls_datum_t data = { "foo", 3 };
gnutls_datum_t sig = { "bar", 3 };
int ret;
gnutls_global_init ();
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
return 1;
ret = gnutls_x509_crt_import (crt, &dsa_cert_dat, GNUTLS_X509_FMT_PEM);
if (ret < 0)
return 1;
ret = gnutls_x509_crt_verify_data (crt, 0, &data, &sig);
if (ret < 0)
return 1;
printf ("success!\n");
gnutls_x509_crt_deinit (crt);
gnutls_global_deinit ();
return 0;
}
/* Return the certificate chain sent by the peer, or NULL on error. */
static ne_ssl_certificate *make_peers_chain(gnutls_session sock)
{
ne_ssl_certificate *current = NULL, *top = NULL;
const gnutls_datum *certs;
unsigned int n, count;
certs = gnutls_certificate_get_peers(sock, &count);
if (!certs) {
return NULL;
}
for (n = 0; n < count; n++) {
ne_ssl_certificate *cert;
gnutls_x509_crt x5;
if (gnutls_x509_crt_init(&x5) ||
gnutls_x509_crt_import(x5, &certs[n], GNUTLS_X509_FMT_DER)) {
ne_ssl_cert_free(top);
return NULL;
}
cert = populate_cert(ne_malloc(sizeof *cert), x5);
if (top == NULL) {
current = top = cert;
} else {
current->issuer = cert;
current = cert;
}
}
return top;
}
static gnutls_x509_crt_t
load_cert (void)
{
gnutls_x509_crt_t crt;
int ret;
gnutls_datum_t dat;
size_t size;
if (!HAVE_OPT(LOAD_CERT))
error (EXIT_FAILURE, 0, "missing --load-cert");
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));
dat.data = (void*)read_binary_file (OPT_ARG(LOAD_CERT), &size);
dat.size = size;
if (!dat.data)
error (EXIT_FAILURE, errno, "reading --load-cert: %s", OPT_ARG(LOAD_CERT));
ret = gnutls_x509_crt_import (crt, &dat, encoding);
free (dat.data);
if (ret < 0)
error (EXIT_FAILURE, 0, "importing --load-cert: %s: %s",
OPT_ARG(LOAD_CERT), gnutls_strerror (ret));
return crt;
}
int crypto_push_cert(crypto_ctx *ctx,
const unsigned char *data,
size_t len,
crypto_error **error)
{
gnutls_x509_crt_t cert;
gnutls_datum dt;
int err;
if (!ctx || !data || (len <= 0)) {
crypto_error_set(error, 1, 0, "invalid crypto context or data");
return 1;
}
if (ctx->num >= CERT_STACK_DEPTH) {
crypto_error_set(error, 1, 0, "too many certificates in the chain.");
return 1;
}
gnutls_x509_crt_init (&cert);
dt.data = (unsigned char *) data;
dt.size = len;
err = gnutls_x509_crt_import (cert, &dt, GNUTLS_X509_FMT_DER);
if (err != GNUTLS_E_SUCCESS) {
gnutls_x509_crt_deinit (cert);
crypto_error_set(error, 1, 0, "failed to decode certificate");
return 1;
}
ctx->stack[ctx->num] = cert;
ctx->num++;
return 0;
}
static int etpan_certificate_check(const unsigned char *certificate, int len, void *data)
{
#ifdef USE_GNUTLS
struct connect_param *param = (struct connect_param *)data;
gnutls_x509_crt_t cert = NULL;
gnutls_datum_t tmp;
if (certificate == NULL || len < 0) {
g_warning("no cert presented.\n");
return 0;
}
tmp.data = malloc(len);
memcpy(tmp.data, certificate, len);
tmp.size = len;
gnutls_x509_crt_init(&cert);
if (gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER) < 0) {
g_warning("nntp: can't get cert\n");
return 0;
} else if (ssl_certificate_check(cert, (guint)-1,
(gchar *)param->server, (gushort)param->port) == TRUE) {
gnutls_x509_crt_deinit(cert);
return 0;
} else {
gnutls_x509_crt_deinit(cert);
return -1;
}
#endif
return 0;
}
static gnutls_x509_crt_t /* O - Certificate */
http_gnutls_create_credential(
http_credential_t *credential) /* I - Credential */
{
int result; /* Result from GNU TLS */
gnutls_x509_crt_t cert; /* Certificate */
gnutls_datum_t datum; /* Data record */
DEBUG_printf(("3http_gnutls_create_credential(credential=%p)", credential));
if (!credential)
return (NULL);
if ((result = gnutls_x509_crt_init(&cert)) < 0)
{
DEBUG_printf(("4http_gnutls_create_credential: init error: %s", gnutls_strerror(result)));
return (NULL);
}
datum.data = credential->data;
datum.size = credential->datalen;
if ((result = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) < 0)
{
DEBUG_printf(("4http_gnutls_create_credential: import error: %s", gnutls_strerror(result)));
gnutls_x509_crt_deinit(cert);
return (NULL);
}
return (cert);
}
/* Reads a DER encoded certificate list from memory and stores it to a
* gnutls_cert structure. Returns the number of certificates parsed.
*/
static int
parse_der_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts,
const void *input_cert, int input_cert_size)
{
gnutls_datum_t tmp;
gnutls_x509_crt_t cert;
int ret;
ret = gnutls_x509_crt_init (&cert);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
tmp.data = (opaque *) input_cert;
tmp.size = input_cert_size;
ret = gnutls_x509_crt_import (cert, &tmp, GNUTLS_X509_FMT_DER);
if (ret < 0)
{
gnutls_assert ();
gnutls_x509_crt_deinit (cert);
return ret;
}
ret = parse_crt_mem (cert_list, ncerts, cert);
gnutls_x509_crt_deinit (cert);
return ret;
}
int _gnutls_x509_crt_import_system_url(gnutls_x509_crt_t crt, const char *url)
{
uint8_t id[MAX_WID_SIZE];
HCERTSTORE store = NULL;
size_t id_size;
const CERT_CONTEXT *cert = NULL;
CRYPT_HASH_BLOB blob;
int ret;
gnutls_datum_t data;
if (ncrypt_init == 0)
return gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE);
id_size = sizeof(id);
ret = get_id(url, id, &id_size, 0);
if (ret < 0)
return gnutls_assert_val(ret);
blob.cbData = id_size;
blob.pbData = id;
store = CertOpenStore(CERT_STORE_PROV_SYSTEM, 0, 0, CERT_SYSTEM_STORE_CURRENT_USER, L"MY");
if (store == NULL) {
gnutls_assert();
ret = GNUTLS_E_FILE_ERROR;
goto cleanup;
}
cert = CertFindCertificateInStore(store,
X509_ASN_ENCODING,
0,
CERT_FIND_KEY_IDENTIFIER,
&blob, NULL);
if (cert == NULL) {
char buf[64];
_gnutls_debug_log("cannot find ID: %s from %s\n",
_gnutls_bin2hex(id, id_size,
buf, sizeof(buf), NULL), url);
ret = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
goto cleanup;
}
data.data = cert->pbCertEncoded;
data.size = cert->cbCertEncoded;
ret = gnutls_x509_crt_import(crt, &data, GNUTLS_X509_FMT_DER);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = 0;
cleanup:
if (cert != 0)
CertFreeCertificateContext(cert);
CertCloseStore(store, 0);
return ret;
}
/* This function will convert a der certificate to a format
* (structure) that gnutls can understand and use. Actually the
* important thing on this function is that it extracts the
* certificate's (public key) parameters.
*
* The noext flag is used to complete the handshake even if the
* extensions found in the certificate are unsupported and critical.
* The critical extensions will be catched by the verification functions.
*/
int
_gnutls_x509_raw_cert_to_gcert (gnutls_cert * gcert,
const gnutls_datum_t * derCert,
int flags /* OR of ConvFlags */ )
{
int ret;
gnutls_x509_crt_t cert;
ret = gnutls_x509_crt_init (&cert);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = gnutls_x509_crt_import (cert, derCert, GNUTLS_X509_FMT_DER);
if (ret < 0)
{
gnutls_assert ();
gnutls_x509_crt_deinit (cert);
return ret;
}
ret = _gnutls_x509_crt_to_gcert (gcert, cert, flags);
gnutls_x509_crt_deinit (cert);
return ret;
}
void
doit (void)
{
gnutls_datum_t der = { pem, sizeof (pem) };
gnutls_x509_crt_t cert;
gnutls_datum_t out;
int ret;
ret = gnutls_global_init ();
if (ret < 0)
fail ("init %d\n", ret);
ret = gnutls_x509_crt_init (&cert);
if (ret < 0)
fail ("crt_init %d\n", ret);
ret = gnutls_x509_crt_import (cert, &der, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("crt_import %d\n", ret);
ret = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &out);
if (ret < 0)
fail ("x509_crt_print %d\n", ret);
if (out.size != strlen (info) || strcmp (out.data, info) != 0)
fail ("comparison fail (%d/%d)\nexpect: %s\n got: %.*s\n",
out.size, (int) strlen (info), info, out.size, out.data);
gnutls_x509_crt_deinit (cert);
gnutls_global_deinit ();
gnutls_free (out.data);
if (debug)
success ("done\n");
}
LIBETPAN_EXPORT
int mailstream_ssl_set_client_certificate_data(struct mailstream_ssl_context * ssl_context,
unsigned char *x509_der, size_t len)
{
#ifdef USE_SSL
#ifndef USE_GNUTLS
X509 *x509 = NULL;
if (x509_der != NULL && len > 0)
x509 = d2i_X509(NULL, (const unsigned char **)&x509_der, len);
ssl_context->client_x509 = (X509 *)x509;
return 0;
#else
gnutls_datum tmp;
int r;
ssl_context->client_x509 = NULL;
if (len == 0)
return 0;
gnutls_x509_crt_init(&(ssl_context->client_x509));
tmp.data = x509_der;
tmp.size = len;
if ((r = gnutls_x509_crt_import(ssl_context->client_x509, &tmp, GNUTLS_X509_FMT_DER)) < 0) {
gnutls_x509_crt_deinit(ssl_context->client_x509); /* ici */
ssl_context->client_x509 = NULL;
return -1;
}
return 0;
#endif
#endif
return -1;
}
/* Returns a copy certificate of certificate SRC. */
static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
{
int ret;
size_t size;
gnutls_datum tmp;
gnutls_x509_crt dest;
if (gnutls_x509_crt_init(&dest) != 0) {
return NULL;
}
if (gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, NULL, &size)
!= GNUTLS_E_SHORT_MEMORY_BUFFER) {
gnutls_x509_crt_deinit(dest);
return NULL;
}
tmp.data = ne_malloc(size);
ret = gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, tmp.data, &size);
if (ret == 0) {
tmp.size = size;
ret = gnutls_x509_crt_import(dest, &tmp, GNUTLS_X509_FMT_DER);
}
if (ret) {
gnutls_x509_crt_deinit(dest);
dest = NULL;
}
ne_free(tmp.data);
return dest;
}
static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
const gnutls_datum_t *pcert;
unsigned listsize;
gnutls_x509_crt_t cert;
int r;
assert(session);
assert(client_cert);
pcert = gnutls_certificate_get_peers(session, &listsize);
if (!pcert || !listsize) {
log_error("Failed to retrieve certificate chain");
return -EINVAL;
}
r = gnutls_x509_crt_init(&cert);
if (r < 0) {
log_error("Failed to initialize client certificate");
return r;
}
/* Note that by passing values between 0 and listsize here, you
can get access to the CA's certs */
r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
if (r < 0) {
log_error("Failed to import client certificate");
gnutls_x509_crt_deinit(cert);
return r;
}
*client_cert = cert;
return 0;
}
static gnutls_x509_crt_t
load_cert (const char *cert_file)
{
gnutls_x509_crt_t crt;
int ret;
gnutls_datum_t data;
size_t size;
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
exit (1);
data.data = (void *) read_binary_file (cert_file, &size);
data.size = size;
if (!data.data)
{
fprintf (stderr, "Cannot open file: %s\n", cert_file);
exit (1);
}
ret = gnutls_x509_crt_import (crt, &data, GNUTLS_X509_FMT_PEM);
free (data.data);
if (ret < 0)
{
fprintf (stderr, "Cannot import certificate in %s: %s\n",
cert_file, gnutls_strerror (ret));
exit (1);
}
return crt;
}
/*-
* gnutls_x509_extract_certificate_dn_string - This function returns the certificate's distinguished name
* @cert: should contain an X.509 DER encoded certificate
* @buf: a pointer to a structure to hold the peer's name
* @sizeof_buf: holds the size of 'buf'
* @issuer: if non zero, then extract the name of the issuer, instead of the holder
*
* This function will copy the name of the certificate holder in the provided buffer. The name
* will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253.
*
* Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough,
* and 0 on success.
*
-*/
int
gnutls_x509_extract_certificate_dn_string (char *buf,
unsigned int sizeof_buf,
const gnutls_datum_t * cert,
int issuer)
{
gnutls_x509_crt_t xcert;
int result;
result = gnutls_x509_crt_init (&xcert);
if (result < 0)
return result;
result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
if (result < 0)
{
gnutls_x509_crt_deinit (xcert);
return result;
}
if (!issuer)
result = gnutls_x509_crt_get_dn (xcert, buf, &sizeof_buf);
else
result = gnutls_x509_crt_get_issuer_dn (xcert, buf, &sizeof_buf);
gnutls_x509_crt_deinit (xcert);
return result;
}
static void print_x509_info_compact(gnutls_session_t session)
{
gnutls_x509_crt_t crt;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int ret;
gnutls_datum_t cinfo;
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
if (cert_list_size == 0) {
fprintf(stderr, "No certificates found!\n");
return;
}
gnutls_x509_crt_init(&crt);
ret =
gnutls_x509_crt_import(crt, &cert_list[0],
GNUTLS_X509_FMT_DER);
if (ret < 0) {
fprintf(stderr, "Decoding error: %s\n",
gnutls_strerror(ret));
return;
}
ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo);
if (ret == 0) {
printf("- X.509 cert: %s\n", cinfo.data);
gnutls_free(cinfo.data);
}
gnutls_x509_crt_deinit(crt);
}
/*-
* gnutls_x509_extract_certificate_serial - This function returns the certificate's serial number
* @cert: is an X.509 DER encoded certificate
* @result: The place where the serial number will be copied
* @result_size: Holds the size of the result field.
*
* This function will return the X.509 certificate's serial number.
* This is obtained by the X509 Certificate serialNumber
* field. Serial is not always a 32 or 64bit number. Some CAs use
* large serial numbers, thus it may be wise to handle it as something
* opaque.
* Returns a negative value in case of an error.
*
-*/
int
gnutls_x509_extract_certificate_serial (const gnutls_datum_t * cert,
char *result, int *result_size)
{
gnutls_x509_crt_t xcert;
size_t size = *result_size;
int ret;
ret = gnutls_x509_crt_init (&xcert);
if (ret < 0)
return ret;
ret = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
if (ret < 0)
{
gnutls_x509_crt_deinit (xcert);
return ret;
}
ret = gnutls_x509_crt_get_serial (xcert, result, &size);
*result_size = size;
gnutls_x509_crt_deinit (xcert);
return ret;
}
/*-
* gnutls_x509_extract_certificate_subject_alt_name - This function returns the certificate's alternative name, if any
* @cert: should contain an X.509 DER encoded certificate
* @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
* @ret: is the place where the alternative name will be copied to
* @ret_size: holds the size of ret.
*
* This function will return the alternative names, contained in the
* given certificate.
*
* This is specified in X509v3 Certificate Extensions.
* GNUTLS will return the Alternative name, or a negative
* error code.
* Returns GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not enough to hold the alternative
* name, or the type of alternative name if everything was ok. The type is
* one of the enumerated GNUTLS_X509_SUBJECT_ALT_NAME.
*
* If the certificate does not have an Alternative name with the specified
* sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
*
-*/
int
gnutls_x509_extract_certificate_subject_alt_name (const gnutls_datum_t *
cert, int seq,
char *ret, int *ret_size)
{
gnutls_x509_crt_t xcert;
int result;
size_t size = *ret_size;
result = gnutls_x509_crt_init (&xcert);
if (result < 0)
return result;
result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
if (result < 0)
{
gnutls_x509_crt_deinit (xcert);
return result;
}
result =
gnutls_x509_crt_get_subject_alt_name (xcert, seq, ret, &size, NULL);
*ret_size = size;
gnutls_x509_crt_deinit (xcert);
return result;
}
int
verify_certificate (gnutls_session session, char* CN)
{
unsigned int cert_list_size;
const gnutls_datum *cert_list;
int ret;
char dn[MAX_DN_LEN];
size_t dn_len = MAX_DN_LEN;
gnutls_x509_crt cert;
ret = gnutls_certificate_verify_peers(session);
if (ret < 0)
{
quorum_debug(LOG_DEBUG,"gnutls_certificate_verify_peers2 returns error");
return -1;
}
if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
quorum_debug(LOG_DEBUG,"The certificate is not a x.509 cert");
return -1;
}
if (gnutls_x509_crt_init (&cert) < 0)
{
quorum_debug(LOG_DEBUG,"error in gnutls_x509_crt_init");
return -1;
}
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list == NULL)
{
quorum_debug(LOG_DEBUG,"No certificate was found!");
return -1;
}
if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
quorum_debug(LOG_DEBUG,"error parsing certificate");
return -1;
}
if (gnutls_x509_crt_get_expiration_time (cert) < time (0))
{
quorum_debug(LOG_DEBUG,"The certificate has expired");
return -1;
}
if (gnutls_x509_crt_get_activation_time (cert) > time (0))
{
quorum_debug(LOG_DEBUG,"The certificate is not yet activated");
return -1;
}
memset(dn, 0, MAX_DN_LEN);
gnutls_x509_crt_get_dn(cert, dn, &dn_len);
strncpy(CN, strstr(dn, "CN=")+3, MAX_DN_LEN);
CN[MAX_DN_LEN-1]= '\0';
quorum_debug(LOG_DEBUG,"The certificate cn:%s",CN);
gnutls_x509_crt_deinit (cert);
return 0;
}
/*-
* gnutls_x509_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name
* @cert: should contain an X.509 DER encoded certificate
* @ret: a pointer to a structure to hold the issuer's name
*
* This function will return the name of the issuer stated in the certificate. The name is a gnutls_x509_dn structure and
* is a obtained by the peer's certificate. If the certificate send by the
* peer is invalid, or in any other failure this function returns error.
* Returns a negative error code in case of an error.
*
-*/
int
gnutls_x509_extract_certificate_issuer_dn (const gnutls_datum_t * cert,
gnutls_x509_dn * ret)
{
gnutls_x509_crt_t xcert;
int result;
size_t len;
result = gnutls_x509_crt_init (&xcert);
if (result < 0)
return result;
result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
if (result < 0)
{
gnutls_x509_crt_deinit (xcert);
return result;
}
len = sizeof (ret->country);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_COUNTRY_NAME, 0,
0, ret->country, &len);
len = sizeof (ret->organization);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_ORGANIZATION_NAME,
0, 0, ret->organization, &len);
len = sizeof (ret->organizational_unit_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
0, 0,
ret->organizational_unit_name, &len);
len = sizeof (ret->common_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_COMMON_NAME, 0, 0,
ret->common_name, &len);
len = sizeof (ret->locality_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_LOCALITY_NAME, 0,
0, ret->locality_name, &len);
len = sizeof (ret->state_or_province_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
0, 0, ret->state_or_province_name,
&len);
len = sizeof (ret->email);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert, GNUTLS_OID_PKCS9_EMAIL, 0,
0, ret->email, &len);
gnutls_x509_crt_deinit (xcert);
return 0;
}
/* This function will try to verify the peer's certificate chain, and
* also check if the hostname matches, and the activation, expiration dates.
*/
void
verify_certificate_chain (gnutls_session_t session,
const char *hostname,
const gnutls_datum_t * cert_chain,
int cert_chain_length)
{
int i;
gnutls_x509_crt_t *cert;
cert = malloc (sizeof (*cert) * cert_chain_length);
/* Import all the certificates in the chain to
* native certificate format.
*/
for (i = 0; i < cert_chain_length; i++)
{
gnutls_x509_crt_init (&cert[i]);
gnutls_x509_crt_import (cert[i], &cert_chain[i], GNUTLS_X509_FMT_DER);
}
/* If the last certificate in the chain is self signed ignore it.
* That is because we want to check against our trusted certificate
* list.
*/
if (gnutls_x509_crt_check_issuer (cert[cert_chain_length - 1],
cert[cert_chain_length - 1]) > 0
&& cert_chain_length > 0)
{
cert_chain_length--;
}
/* Now verify the certificates against their issuers
* in the chain.
*/
for (i = 1; i < cert_chain_length; i++)
{
verify_cert2 (cert[i - 1], cert[i], crl_list, crl_list_size);
}
/* Here we must verify the last certificate in the chain against
* our trusted CA list.
*/
verify_last_cert (cert[cert_chain_length - 1],
ca_list, ca_list_size, crl_list, crl_list_size);
/* Check if the name in the first certificate matches our destination!
*/
if (!gnutls_x509_crt_check_hostname (cert[0], hostname))
{
printf ("The certificate's owner does not match hostname '%s'\n",
hostname);
}
for (i = 0; i < cert_chain_length; i++)
gnutls_x509_crt_deinit (cert[i]);
return;
}
static int verify_certificate_callback( gnutls_session_t session )
{
unsigned int status;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size;
int gnutlsret;
int verifyret = 0;
gnutls_x509_crt_t cert;
const char *hostname;
hostname = gnutls_session_get_ptr( session );
gnutlsret = gnutls_certificate_verify_peers2( session, &status );
if( gnutlsret < 0 )
return VERIFY_CERT_ERROR;
if( status & GNUTLS_CERT_INVALID )
verifyret |= VERIFY_CERT_INVALID;
if( status & GNUTLS_CERT_REVOKED )
verifyret |= VERIFY_CERT_REVOKED;
if( status & GNUTLS_CERT_SIGNER_NOT_FOUND )
verifyret |= VERIFY_CERT_SIGNER_NOT_FOUND;
if( status & GNUTLS_CERT_SIGNER_NOT_CA )
verifyret |= VERIFY_CERT_SIGNER_NOT_CA;
if( status & GNUTLS_CERT_INSECURE_ALGORITHM )
verifyret |= VERIFY_CERT_INSECURE_ALGORITHM;
#ifdef GNUTLS_CERT_NOT_ACTIVATED
/* Amusingly, the GnuTLS function used above didn't check for expiry
until GnuTLS 2.8 or so. (See CVE-2009-1417) */
if( status & GNUTLS_CERT_NOT_ACTIVATED )
verifyret |= VERIFY_CERT_NOT_ACTIVATED;
if( status & GNUTLS_CERT_EXPIRED )
verifyret |= VERIFY_CERT_EXPIRED;
#endif
if( gnutls_certificate_type_get( session ) != GNUTLS_CRT_X509 || gnutls_x509_crt_init( &cert ) < 0 )
return VERIFY_CERT_ERROR;
cert_list = gnutls_certificate_get_peers( session, &cert_list_size );
if( cert_list == NULL || gnutls_x509_crt_import( cert, &cert_list[0], GNUTLS_X509_FMT_DER ) < 0 )
return VERIFY_CERT_ERROR;
if( !gnutls_x509_crt_check_hostname( cert, hostname ) )
{
verifyret |= VERIFY_CERT_INVALID;
verifyret |= VERIFY_CERT_WRONG_HOSTNAME;
}
gnutls_x509_crt_deinit( cert );
return verifyret;
}
static int url_import_crt(gnutls_x509_crt_t crt, const char *url, unsigned flags)
{
if (strcmp(url, "myurl:cert") != 0) {
abort();
fail("unexpected cert url: %s\n", url);
return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
}
return gnutls_x509_crt_import(crt, &server_cert, GNUTLS_X509_FMT_PEM);
}
