/** * gnutls_store_pubkey: * @db_name: A file specifying the stored keys (use NULL for the default) * @tdb: A storage structure or NULL to use the default * @host: The peer's name * @service: non-NULL if this key is specific to a service (e.g. http) * @cert_type: The type of the certificate * @cert: The data of the certificate * @expiration: The expiration time (use 0 to disable expiration) * @flags: should be 0. * * This function will store the provided certificate to * the list of stored public keys. The key will be considered valid until * the provided expiration time. * * The @store variable if non-null specifies a custom backend for * the storage of entries. If it is NULL then the * default file backend will be used. * * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a * negative error value. * * Since: 3.0 **/ int gnutls_store_pubkey(const char* db_name, gnutls_tdb_t tdb, const char* host, const char* service, gnutls_certificate_type_t cert_type, const gnutls_datum_t * cert, time_t expiration, unsigned int flags) { FILE* fd = NULL; gnutls_datum_t pubkey = { NULL, 0 }; int ret; char local_file[MAX_FILENAME]; if (cert_type != GNUTLS_CRT_X509 && cert_type != GNUTLS_CRT_OPENPGP) return gnutls_assert_val(GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE); if (db_name == NULL && tdb == NULL) { ret = _gnutls_find_config_path(local_file, sizeof(local_file)); if (ret < 0) return gnutls_assert_val(ret); _gnutls_debug_log("Configuration path: %s\n", local_file); mkdir(local_file, 0700); ret = find_config_file(local_file, sizeof(local_file)); if (ret < 0) return gnutls_assert_val(ret); db_name = local_file; } if (tdb == NULL) tdb = &default_tdb; if (cert_type == GNUTLS_CRT_X509) ret = x509_crt_to_raw_pubkey(cert, &pubkey); else ret = pgp_crt_to_raw_pubkey(cert, &pubkey); if (ret < 0) { gnutls_assert(); goto cleanup; } _gnutls_debug_log("Configuration file: %s\n", db_name); tdb->store(db_name, host, service, expiration, &pubkey); ret = 0; cleanup: gnutls_free(pubkey.data); if (fd != NULL) fclose(fd); return ret; }
/** * gnutls_verify_stored_pubkey: * @db_name: A file specifying the stored keys (use NULL for the default) * @tdb: A storage structure or NULL to use the default * @host: The peer's name * @service: non-NULL if this key is specific to a service (e.g. http) * @cert_type: The type of the certificate * @cert: The raw (der) data of the certificate * @flags: should be 0. * * This function will try to verify the provided (raw or DER-encoded) certificate * using a list of stored public keys. The @service field if non-NULL should * be a port number. * * The @retrieve variable if non-null specifies a custom backend for * the retrieval of entries. If it is NULL then the * default file backend will be used. In POSIX-like systems the * file backend uses the $HOME/.gnutls/known_hosts file. * * Note that if the custom storage backend is provided the * retrieval function should return %GNUTLS_E_CERTIFICATE_KEY_MISMATCH * if the host/service pair is found but key doesn't match, * %GNUTLS_E_NO_CERTIFICATE_FOUND if no such host/service with * the given key is found, and 0 if it was found. The storage * function should return 0 on success. * * Returns: If no associated public key is found * then %GNUTLS_E_NO_CERTIFICATE_FOUND will be returned. If a key * is found but does not match %GNUTLS_E_CERTIFICATE_KEY_MISMATCH * is returned. On success, %GNUTLS_E_SUCCESS (0) is returned, * or a negative error value on other errors. * * Since: 3.0.13 **/ int gnutls_verify_stored_pubkey(const char *db_name, gnutls_tdb_t tdb, const char *host, const char *service, gnutls_certificate_type_t cert_type, const gnutls_datum_t * cert, unsigned int flags) { gnutls_datum_t pubkey = { NULL, 0 }; int ret; char local_file[MAX_FILENAME]; if (cert_type != GNUTLS_CRT_X509 && cert_type != GNUTLS_CRT_OPENPGP) return gnutls_assert_val (GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE); if (db_name == NULL && tdb == NULL) { ret = find_config_file(local_file, sizeof(local_file)); if (ret < 0) return gnutls_assert_val(ret); db_name = local_file; } if (tdb == NULL) tdb = &default_tdb; if (cert_type == GNUTLS_CRT_X509) ret = x509_crt_to_raw_pubkey(cert, &pubkey); else ret = pgp_crt_to_raw_pubkey(cert, &pubkey); if (ret < 0) { gnutls_assert(); goto cleanup; } ret = tdb->verify(db_name, host, service, &pubkey); if (ret < 0 && ret != GNUTLS_E_CERTIFICATE_KEY_MISMATCH) ret = gnutls_assert_val(GNUTLS_E_NO_CERTIFICATE_FOUND); cleanup: gnutls_free(pubkey.data); return ret; }