static int load_dir_certs(const char *dirname, gnutls_x509_trust_list_t list, unsigned int tl_flags, unsigned int tl_vflags, unsigned type, unsigned crl) { DIR *dirp; struct dirent *d; int ret; int r = 0; char path[GNUTLS_PATH_MAX]; dirp = opendir(dirname); if (dirp != NULL) { do { d = readdir(dirp); if (d != NULL #ifdef _DIRENT_HAVE_D_TYPE && (d->d_type == DT_REG || d->d_type == DT_LNK || d->d_type == DT_UNKNOWN) #endif ) { snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name); if (crl != 0) { ret = gnutls_x509_trust_list_add_trust_file (list, NULL, path, type, tl_flags, tl_vflags); } else { ret = gnutls_x509_trust_list_add_trust_file (list, path, NULL, type, tl_flags, tl_vflags); } if (ret >= 0) r += ret; } } while (d != NULL); closedir(dirp); } return r; }
static int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, unsigned int tl_vflags) { int ret, r = 0; const char *crl_file = #ifdef DEFAULT_CRL_FILE DEFAULT_CRL_FILE; #else NULL; #endif #if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11) ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_PKCS11, crl_file, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags); if (ret > 0) r += ret; #endif #ifdef DEFAULT_TRUST_STORE_FILE ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_FILE, crl_file, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags); if (ret > 0) r += ret; #endif #ifdef DEFAULT_BLACKLIST_FILE ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM); if (ret < 0) { _gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE); } #endif return r; }
/** * gnutls_certificate_set_x509_trust_file: * @cred: is a #gnutls_certificate_credentials_t type. * @cafile: is a file containing the list of trusted CAs (DER or PEM list) * @type: is PEM or DER * * This function adds the trusted CAs in order to verify client or * server certificates. In case of a client this is not required to * be called if the certificates are not verified using * gnutls_certificate_verify_peers2(). This function may be called * multiple times. * * In case of a server the names of the CAs set here will be sent to * the client if a certificate request is sent. This can be disabled * using gnutls_certificate_send_x509_rdn_sequence(). * * This function can also accept URLs. In that case it * will import all certificates that are marked as trusted. Note * that the supported URLs are the ones indicated by gnutls_url_is_supported(). * * Returns: the number of certificates processed **/ int gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t cred, const char *cafile, gnutls_x509_crt_fmt_t type) { int ret; ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL, type, GNUTLS_TL_USE_IN_TLS, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; return ret; }
/** * gnutls_certificate_set_x509_crl_file: * @res: is a #gnutls_certificate_credentials_t type. * @crlfile: is a file containing the list of verified CRLs (DER or PEM list) * @type: is PEM or DER * * This function adds the trusted CRLs in order to verify client or server * certificates. In case of a client this is not required * to be called if the certificates are not verified using * gnutls_certificate_verify_peers2(). * This function may be called multiple times. * * Returns: number of CRLs processed or a negative error code on error. **/ int gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t res, const char *crlfile, gnutls_x509_crt_fmt_t type) { int ret; unsigned flags = GNUTLS_TL_USE_IN_TLS; if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) flags |= GNUTLS_TL_VERIFY_CRL|GNUTLS_TL_FAIL_ON_INVALID_CRL; ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile, type, flags, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; return ret; }
/** * gnutls_x509_trust_list_add_system_trust: * @list: The structure of the list * @tl_flags: GNUTLS_TL_* * @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL * * This function adds the system's default trusted certificate * authorities to the trusted list. Note that on unsupported system * this function returns %GNUTLS_E_UNIMPLEMENTED_FEATURE. * * Returns: The number of added elements or a negative error code on error. * * Since: 3.1 **/ int gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, unsigned int tl_vflags) { #if !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) && !defined(_WIN32) return GNUTLS_E_UNIMPLEMENTED_FEATURE; #else int ret, r = 0; const char* crl_file = # ifdef DEFAULT_CRL_FILE DEFAULT_CRL_FILE; # else NULL; # endif # ifdef _WIN32 unsigned int i; for (i=0;i<2;i++) { HCERTSTORE store; const CERT_CONTEXT *cert; const CRL_CONTEXT *crl; gnutls_datum_t data; if (i==0) store = CertOpenSystemStore(0, "ROOT"); else store = CertOpenSystemStore(0, "CA"); if (store == NULL) return GNUTLS_E_FILE_ERROR; cert = CertEnumCertificatesInStore(store, NULL); crl = Loaded_CertEnumCRLsInStore(store, NULL); while(cert != NULL) { if (cert->dwCertEncodingType == X509_ASN_ENCODING) { data.data = cert->pbCertEncoded; data.size = cert->cbCertEncoded; if (gnutls_x509_trust_list_add_trust_mem(list, &data, NULL, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags) > 0) r++; } cert = CertEnumCertificatesInStore(store, cert); } while(crl != NULL) { if (crl->dwCertEncodingType == X509_ASN_ENCODING) { data.data = crl->pbCrlEncoded; data.size = crl->cbCrlEncoded; gnutls_x509_trust_list_add_trust_mem(list, NULL, &data, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags); } crl = Loaded_CertEnumCRLsInStore(store, crl); } CertCloseStore(store, 0); } # endif # if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11) ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_PKCS11, crl_file, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags); if (ret > 0) r += ret; # endif # ifdef DEFAULT_TRUST_STORE_FILE ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_FILE, crl_file, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags); if (ret > 0) r += ret; # endif return r; #endif }
void doit(void) { char buf[128]; int exit_val = 0; int ret; unsigned j; const char *lib, *bin; gnutls_x509_crt_t issuer = NULL; gnutls_x509_trust_list_t tl; gnutls_x509_crt_t certs[MAX_CHAIN]; gnutls_x509_crt_t intermediate; gnutls_datum_t tmp; /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ #ifdef _WIN32 exit(77); #endif bin = softhsm_bin(); lib = softhsm_lib(); ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_pkcs11_set_pin_function(pin_func, NULL); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); set_softhsm_conf(CONFIG); snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); system(buf); ret = gnutls_pkcs11_add_provider(lib, "trusted"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } for (j = 0; ca_list[j]; j++) { if (debug > 2) printf("\tAdding certificate %d...", (int) j); ret = gnutls_x509_crt_init(&certs[j]); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init[%d,%d]: %s\n", (int) 3, (int) j, gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) ca_list[j]; tmp.size = strlen(ca_list[j]); ret = gnutls_x509_crt_import(certs[j], &tmp, GNUTLS_X509_FMT_PEM); if (debug > 2) printf("done\n"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import[%d]: %s\n", (int) j, gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(certs[j], GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCertificate %d: %.*s\n", (int) j, tmp.size, tmp.data); gnutls_free(tmp.data); } if (debug > 2) printf("\tAdding intermediate certificate..."); ret = gnutls_x509_crt_init(&intermediate); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) intermediate_str; tmp.size = strlen(intermediate_str); ret = gnutls_x509_crt_import(intermediate, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } if (debug > 2) printf("done\n"); gnutls_x509_crt_print(intermediate, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tIntermediate Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug) printf("\tVerifying..."); /* initialize softhsm token */ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); if (ret < 0) { fail("gnutls_pkcs11_token_init\n"); exit(1); } /* write CA certificate to softhsm */ for (j = 0; ca_list[j]; j++) { char name[64]; snprintf(name, sizeof(name), "test-ca%d", j); ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); exit(1); } } /* try to extract an issuer when using an object URL */ gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_trust_file(tl, OBJ_URL, NULL, 0, 0, 0); if (ret != 1) { fail("gnutls_x509_trust_list_add_trust_file (with expl. object 0): %d\n", ret); exit(1); } /* extract the issuer of the certificate */ ret = gnutls_x509_trust_list_get_issuer(tl, intermediate, &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) { fail("gnutls_x509_trust_list_get_issuer (with expl. object) should have succeeded\n"); exit(1); } gnutls_x509_crt_deinit(issuer); gnutls_x509_trust_list_deinit(tl, 0); /* Try to extract issuers using PKCS #11 token URL */ gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_trust_file\n"); exit(1); } /* extract the issuer of the certificate */ ret = gnutls_x509_trust_list_get_issuer(tl, intermediate, &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) { fail("gnutls_x509_trust_list_get_issuer should have succeeded\n"); exit(1); } gnutls_x509_crt_deinit(issuer); ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[2], GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - 0\n"); exit(1); } ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[0], GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - 0\n"); exit(1); } ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[1], GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret == 0) { fail("error in gnutls_pkcs11_crt_is_known - 0\n"); exit(1); } gnutls_x509_trust_list_deinit(tl, 0); /* deinit */ if (debug) printf("\tCleanup..."); gnutls_x509_crt_deinit(intermediate); for (j = 0; ca_list[j]; j++) { gnutls_x509_crt_deinit(certs[j]); } if (debug) printf("done\n\n\n"); gnutls_global_deinit(); if (debug) printf("Exit status...%d\n", exit_val); remove(CONFIG); exit(exit_val); }
void doit(void) { char buf[128]; int exit_val = 0; int ret; unsigned j; const char *lib, *bin; gnutls_x509_crt_t issuer = NULL; gnutls_x509_trust_list_t tl; gnutls_x509_crt_t certs[MAX_CHAIN]; gnutls_x509_crt_t end, ca; unsigned verify_status = 0; gnutls_datum_t tmp; /* The overloading of time() seems to work in linux (ELF?) * systems only. Disable it on windows. */ #ifdef _WIN32 exit(77); #endif bin = softhsm_bin(); lib = softhsm_lib(); ret = global_init(); if (ret != 0) { fail("%d: %s\n", ret, gnutls_strerror(ret)); exit(1); } gnutls_pkcs11_set_pin_function(pin_func, NULL); gnutls_global_set_time_function(mytime); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); set_softhsm_conf(CONFIG); snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin); system(buf); ret = gnutls_pkcs11_add_provider(lib, "trusted"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } for (j = 0; ca_list[j]; j++) { if (debug > 2) printf("\tAdding certificate %d...", (int) j); ret = gnutls_x509_crt_init(&certs[j]); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init[%d,%d]: %s\n", (int) 3, (int) j, gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) ca_list[j]; tmp.size = strlen(ca_list[j]); ret = gnutls_x509_crt_import(certs[j], &tmp, GNUTLS_X509_FMT_PEM); if (debug > 2) printf("done\n"); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import[%d]: %s\n", (int) j, gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(certs[j], GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCertificate %d: %.*s\n", (int) j, tmp.size, tmp.data); gnutls_free(tmp.data); } if (debug > 2) printf("\tAdding end certificate..."); ret = gnutls_x509_crt_init(&end); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) v1_root_check[0]; tmp.size = strlen(v1_root_check[0]); ret = gnutls_x509_crt_import(end, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tEnd Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); ret = gnutls_x509_crt_init(&ca); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_init: %s\n", gnutls_strerror(ret)); exit(1); } tmp.data = (unsigned char *) v1_root_check[1]; tmp.size = strlen(v1_root_check[1]); ret = gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM); if (ret < 0) { fprintf(stderr, "gnutls_x509_crt_import: %s\n", gnutls_strerror(ret)); exit(1); } gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp); if (debug) printf("\tCA Certificate: %.*s\n", tmp.size, tmp.data); gnutls_free(tmp.data); if (debug > 2) printf("done\n"); if (debug) printf("\tChecking presence and verification..."); /* initialize softhsm token */ ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test"); if (ret < 0) { fail("gnutls_pkcs11_token_init\n"); exit(1); } /* write CA certificate to softhsm */ for (j = 0; ca_list[j]; j++) { char name[64]; snprintf(name, sizeof(name), "test-ca%d", j); ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO); if (ret < 0) { fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret)); exit(1); } } gnutls_x509_trust_list_init(&tl, 0); ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_trust_file\n"); exit(1); } ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0); if (ret < 0) { fail("gnutls_x509_trust_list_add_cas\n"); exit(1); } /* extract the issuer of the certificate */ ret = gnutls_x509_trust_list_get_issuer(tl, end, &issuer, GNUTLS_TL_GET_COPY); if (ret < 0) { fail("gnutls_x509_trust_list_get_issuer should have succeeded\n"); exit(1); } gnutls_x509_crt_deinit(issuer); ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, ca, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED); if (ret != 0) { fail("gnutls_pkcs11_crt_is_known should have failed!\n"); exit(1); } ret = gnutls_x509_trust_list_verify_crt2(tl, &end, 1, NULL, 0, GNUTLS_VERIFY_DISABLE_TIME_CHECKS, &verify_status, NULL); if (ret < 0) { fail("gnutls_x509_trust_list_verify_crt2 should have succeeded\n"); exit(1); } if (verify_status != 0) { fail("verification should have succeeded: %.2x\n", verify_status); exit(1); } if (debug) printf("\tCleanup..."); gnutls_x509_trust_list_deinit(tl, 0); gnutls_x509_crt_deinit(ca); gnutls_x509_crt_deinit(end); for (j = 0; ca_list[j]; j++) { gnutls_x509_crt_deinit(certs[j]); } if (debug) printf("done\n\n\n"); gnutls_global_deinit(); if (debug) printf("Exit status...%d\n", exit_val); remove(CONFIG); exit(exit_val); }