/**
 * gnutls_store_pubkey:
 * @db_name: A file specifying the stored keys (use NULL for the default)
 * @tdb: A storage structure or NULL to use the default
 * @host: The peer's name
 * @service: non-NULL if this key is specific to a service (e.g. http)
 * @cert_type: The type of the certificate
 * @cert: The data of the certificate
 * @expiration: The expiration time (use 0 to disable expiration)
 * @flags: should be 0.
 *
 * This function will store the provided certificate to 
 * the list of stored public keys. The key will be considered valid until 
 * the provided expiration time.
 *
 * The @store variable if non-null specifies a custom backend for
 * the storage of entries. If it is NULL then the
 * default file backend will be used.
 *
 * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
 *   negative error value.
 *
 * Since: 3.0
 **/
int
gnutls_store_pubkey(const char* db_name,
                    gnutls_tdb_t tdb,
                    const char* host,
                    const char* service,
                    gnutls_certificate_type_t cert_type,
                    const gnutls_datum_t * cert,
                    time_t expiration,
                    unsigned int flags)
{
FILE* fd = NULL;
gnutls_datum_t pubkey = { NULL, 0 };
int ret;
char local_file[MAX_FILENAME];

  if (cert_type != GNUTLS_CRT_X509 && cert_type != GNUTLS_CRT_OPENPGP)
    return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE);
  
  if (db_name == NULL && tdb == NULL)
    {
      ret = _gnutls_find_config_path(local_file, sizeof(local_file));
      if (ret < 0)
        return gnutls_assert_val(ret);
      
      _gnutls_debug_log("Configuration path: %s\n", local_file);
      mkdir(local_file, 0700);
      
      ret = find_config_file(local_file, sizeof(local_file));
      if (ret < 0)
        return gnutls_assert_val(ret);
      db_name = local_file;
    }

  if (tdb == NULL)
    tdb = &default_tdb;
    
  if (cert_type == GNUTLS_CRT_X509)
    ret = x509_crt_to_raw_pubkey(cert, &pubkey);
  else
    ret = pgp_crt_to_raw_pubkey(cert, &pubkey);
  if (ret < 0)
    {
      gnutls_assert();
      goto cleanup;
    }

  _gnutls_debug_log("Configuration file: %s\n", db_name);

  tdb->store(db_name, host, service, expiration, &pubkey);

  ret = 0;

cleanup:
  gnutls_free(pubkey.data);
  if (fd != NULL) fclose(fd);
  
  return ret;
}
Esempio n. 2
0
/**
 * gnutls_verify_stored_pubkey:
 * @db_name: A file specifying the stored keys (use NULL for the default)
 * @tdb: A storage structure or NULL to use the default
 * @host: The peer's name
 * @service: non-NULL if this key is specific to a service (e.g. http)
 * @cert_type: The type of the certificate
 * @cert: The raw (der) data of the certificate
 * @flags: should be 0.
 *
 * This function will try to verify the provided (raw or DER-encoded) certificate 
 * using a list of stored public keys.  The @service field if non-NULL should
 * be a port number.
 *
 * The @retrieve variable if non-null specifies a custom backend for
 * the retrieval of entries. If it is NULL then the
 * default file backend will be used. In POSIX-like systems the
 * file backend uses the $HOME/.gnutls/known_hosts file.
 *
 * Note that if the custom storage backend is provided the
 * retrieval function should return %GNUTLS_E_CERTIFICATE_KEY_MISMATCH
 * if the host/service pair is found but key doesn't match,
 * %GNUTLS_E_NO_CERTIFICATE_FOUND if no such host/service with
 * the given key is found, and 0 if it was found. The storage
 * function should return 0 on success.
 *
 * Returns: If no associated public key is found
 * then %GNUTLS_E_NO_CERTIFICATE_FOUND will be returned. If a key
 * is found but does not match %GNUTLS_E_CERTIFICATE_KEY_MISMATCH
 * is returned. On success, %GNUTLS_E_SUCCESS (0) is returned, 
 * or a negative error value on other errors.
 *
 * Since: 3.0.13
 **/
int
gnutls_verify_stored_pubkey(const char *db_name,
			    gnutls_tdb_t tdb,
			    const char *host,
			    const char *service,
			    gnutls_certificate_type_t cert_type,
			    const gnutls_datum_t * cert,
			    unsigned int flags)
{
	gnutls_datum_t pubkey = { NULL, 0 };
	int ret;
	char local_file[MAX_FILENAME];

	if (cert_type != GNUTLS_CRT_X509
	    && cert_type != GNUTLS_CRT_OPENPGP)
		return
		    gnutls_assert_val
		    (GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE);

	if (db_name == NULL && tdb == NULL) {
		ret = find_config_file(local_file, sizeof(local_file));
		if (ret < 0)
			return gnutls_assert_val(ret);
		db_name = local_file;
	}

	if (tdb == NULL)
		tdb = &default_tdb;

	if (cert_type == GNUTLS_CRT_X509)
		ret = x509_crt_to_raw_pubkey(cert, &pubkey);
	else
		ret = pgp_crt_to_raw_pubkey(cert, &pubkey);

	if (ret < 0) {
		gnutls_assert();
		goto cleanup;
	}

	ret = tdb->verify(db_name, host, service, &pubkey);
	if (ret < 0 && ret != GNUTLS_E_CERTIFICATE_KEY_MISMATCH)
		ret = gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND);

      cleanup:
	gnutls_free(pubkey.data);
	return ret;
}