/* Load the Certificate Request.
*/
gnutls_x509_crq_t
load_request (common_info_st * info)
{
gnutls_x509_crq_t crq;
int ret;
gnutls_datum_t dat;
size_t size;
if (!info->request)
return NULL;
ret = gnutls_x509_crq_init (&crq);
if (ret < 0)
error (EXIT_FAILURE, 0, "crq_init: %s", gnutls_strerror (ret));
dat.data = read_binary_file (info->request, &size);
dat.size = size;
if (!dat.data)
error (EXIT_FAILURE, errno, "reading --load-request: %s", info->request);
ret = gnutls_x509_crq_import (crq, &dat, info->incert_format);
if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR)
{
error (EXIT_FAILURE, 0,
"import error: could not find a valid PEM header");
}
free (dat.data);
if (ret < 0)
error (EXIT_FAILURE, 0, "importing --load-request: %s: %s",
info->request, gnutls_strerror (ret));
return crq;
}
/* Load the Certificate Request.
*/
gnutls_x509_crq_t load_request(common_info_st * info)
{
gnutls_x509_crq_t crq;
int ret;
gnutls_datum_t dat;
size_t size;
if (!info->request)
return NULL;
ret = gnutls_x509_crq_init(&crq);
if (ret < 0) {
fprintf(stderr, "crq_init: %s\n", gnutls_strerror(ret));
exit(1);
}
dat.data = (void *) read_binary_file(info->request, &size);
dat.size = size;
if (!dat.data) {
fprintf(stderr, "error reading --load-request: %s\n",
info->request);
exit(1);
}
ret = gnutls_x509_crq_import(crq, &dat, info->incert_format);
if (ret == GNUTLS_E_BASE64_UNEXPECTED_HEADER_ERROR) {
fprintf(stderr,
"import error: could not find a valid PEM header\n");
exit(1);
}
free(dat.data);
if (ret < 0) {
fprintf(stderr, "importing --load-request: %s: %s\n",
info->request, gnutls_strerror(ret));
exit(1);
}
return crq;
}
int tls_handle_certificate_request(const char *srcinfo, requiem_client_profile_t *cp, requiem_io_t *fd,
gnutls_x509_privkey cakey, gnutls_x509_crt cacrt,
gnutls_x509_crt crt)
{
ssize_t ret;
size_t size;
char buf[65535];
gnutls_datum data;
gnutls_x509_crq crq;
unsigned char *rbuf;
uint64_t analyzerid;
gnutls_x509_crt gencrt;
/*
* Read the client CRQ and generate a certificate for it.
*/
requiem_log_debug(1, "Waiting for client certificate request.\n");
ret = requiem_io_read_delimited(fd, &rbuf);
if ( ret < 0 ) {
requiem_perror(ret, "error receiving client certificate request");
return -1;
}
data.size = ret;
data.data = rbuf;
gnutls_x509_crq_init(&crq);
gnutls_x509_crq_import(crq, &data, GNUTLS_X509_FMT_PEM);
free(rbuf);
ret = check_req(srcinfo, fd, crq, &analyzerid);
if ( ret < 0 )
return ret;
/*
* Generate a CA signed certificate for this CRQ.
*/
requiem_log_debug(1, "Generating signed certificate for client.\n");
gencrt = generate_signed_certificate(cp, analyzerid, cacrt, cakey, crq);
if ( ! gencrt ) {
fprintf(stderr, "error generating signed certificate for this request.\n");
return -1;
}
gnutls_x509_crq_deinit(crq);
size = sizeof(buf);
gnutls_x509_crt_export(gencrt, GNUTLS_X509_FMT_PEM, buf, &size);
ret = requiem_io_write_delimited(fd, buf, size);
if ( ret < 0 || (size_t) ret != size ) {
requiem_perror(ret, "error sending signed certificate");
return -1;
}
gnutls_x509_crt_deinit(gencrt);
/*
* write our own certificate back to the client.
*/
requiem_log_debug(1, "Sending server certificate to client.\n");
size = sizeof(buf);
gnutls_x509_crt_export(crt, GNUTLS_X509_FMT_PEM, buf, &size);
ret = requiem_io_write_delimited(fd, buf, size);
if ( ret < 0 || (size_t) ret != size ) {
requiem_perror(ret, "error sending signed certificate");
return -1;
}
return 0;
}
