/* Load the Certificate Request. */ gnutls_x509_crq_t load_request (common_info_st * info) { gnutls_x509_crq_t crq; int ret; gnutls_datum_t dat; size_t size; if (!info->request) return NULL; ret = gnutls_x509_crq_init (&crq); if (ret < 0) error (EXIT_FAILURE, 0, "crq_init: %s", gnutls_strerror (ret)); dat.data = read_binary_file (info->request, &size); dat.size = size; if (!dat.data) error (EXIT_FAILURE, errno, "reading --load-request: %s", info->request); ret = gnutls_x509_crq_import (crq, &dat, info->incert_format); if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { error (EXIT_FAILURE, 0, "import error: could not find a valid PEM header"); } free (dat.data); if (ret < 0) error (EXIT_FAILURE, 0, "importing --load-request: %s: %s", info->request, gnutls_strerror (ret)); return crq; }
/* Load the Certificate Request. */ gnutls_x509_crq_t load_request(common_info_st * info) { gnutls_x509_crq_t crq; int ret; gnutls_datum_t dat; size_t size; if (!info->request) return NULL; ret = gnutls_x509_crq_init(&crq); if (ret < 0) { fprintf(stderr, "crq_init: %s\n", gnutls_strerror(ret)); exit(1); } dat.data = (void *) read_binary_file(info->request, &size); dat.size = size; if (!dat.data) { fprintf(stderr, "error reading --load-request: %s\n", info->request); exit(1); } ret = gnutls_x509_crq_import(crq, &dat, info->incert_format); if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) { fprintf(stderr, "import error: could not find a valid PEM header\n"); exit(1); } free(dat.data); if (ret < 0) { fprintf(stderr, "importing --load-request: %s: %s\n", info->request, gnutls_strerror(ret)); exit(1); } return crq; }
int tls_handle_certificate_request(const char *srcinfo, requiem_client_profile_t *cp, requiem_io_t *fd, gnutls_x509_privkey cakey, gnutls_x509_crt cacrt, gnutls_x509_crt crt) { ssize_t ret; size_t size; char buf[65535]; gnutls_datum data; gnutls_x509_crq crq; unsigned char *rbuf; uint64_t analyzerid; gnutls_x509_crt gencrt; /* * Read the client CRQ and generate a certificate for it. */ requiem_log_debug(1, "Waiting for client certificate request.\n"); ret = requiem_io_read_delimited(fd, &rbuf); if ( ret < 0 ) { requiem_perror(ret, "error receiving client certificate request"); return -1; } data.size = ret; data.data = rbuf; gnutls_x509_crq_init(&crq); gnutls_x509_crq_import(crq, &data, GNUTLS_X509_FMT_PEM); free(rbuf); ret = check_req(srcinfo, fd, crq, &analyzerid); if ( ret < 0 ) return ret; /* * Generate a CA signed certificate for this CRQ. */ requiem_log_debug(1, "Generating signed certificate for client.\n"); gencrt = generate_signed_certificate(cp, analyzerid, cacrt, cakey, crq); if ( ! gencrt ) { fprintf(stderr, "error generating signed certificate for this request.\n"); return -1; } gnutls_x509_crq_deinit(crq); size = sizeof(buf); gnutls_x509_crt_export(gencrt, GNUTLS_X509_FMT_PEM, buf, &size); ret = requiem_io_write_delimited(fd, buf, size); if ( ret < 0 || (size_t) ret != size ) { requiem_perror(ret, "error sending signed certificate"); return -1; } gnutls_x509_crt_deinit(gencrt); /* * write our own certificate back to the client. */ requiem_log_debug(1, "Sending server certificate to client.\n"); size = sizeof(buf); gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &size); ret = requiem_io_write_delimited(fd, buf, size); if ( ret < 0 || (size_t) ret != size ) { requiem_perror(ret, "error sending signed certificate"); return -1; } return 0; }