static
int load_dir_certs(const char *dirname,
gnutls_x509_trust_list_t list,
unsigned int tl_flags, unsigned int tl_vflags,
unsigned type, unsigned crl)
{
DIR *dirp;
struct dirent *d;
int ret;
int r = 0;
char path[GNUTLS_PATH_MAX];
dirp = opendir(dirname);
if (dirp != NULL) {
do {
d = readdir(dirp);
if (d != NULL
#ifdef _DIRENT_HAVE_D_TYPE
&& (d->d_type == DT_REG || d->d_type == DT_LNK || d->d_type == DT_UNKNOWN)
#endif
) {
snprintf(path, sizeof(path), "%s/%s",
dirname, d->d_name);
if (crl != 0) {
ret =
gnutls_x509_trust_list_add_trust_file
(list, NULL, path, type, tl_flags,
tl_vflags);
} else {
ret =
gnutls_x509_trust_list_add_trust_file
(list, path, NULL, type, tl_flags,
tl_vflags);
}
if (ret >= 0)
r += ret;
}
}
while (d != NULL);
closedir(dirp);
}
return r;
}
static
int
add_system_trust(gnutls_x509_trust_list_t list,
unsigned int tl_flags, unsigned int tl_vflags)
{
int ret, r = 0;
const char *crl_file =
#ifdef DEFAULT_CRL_FILE
DEFAULT_CRL_FILE;
#else
NULL;
#endif
#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
ret =
gnutls_x509_trust_list_add_trust_file(list,
DEFAULT_TRUST_STORE_PKCS11,
crl_file,
GNUTLS_X509_FMT_DER,
tl_flags, tl_vflags);
if (ret > 0)
r += ret;
#endif
#ifdef DEFAULT_TRUST_STORE_FILE
ret =
gnutls_x509_trust_list_add_trust_file(list,
DEFAULT_TRUST_STORE_FILE,
crl_file,
GNUTLS_X509_FMT_PEM,
tl_flags, tl_vflags);
if (ret > 0)
r += ret;
#endif
#ifdef DEFAULT_BLACKLIST_FILE
ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
_gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
}
#endif
return r;
}
/**
* gnutls_certificate_set_x509_trust_file:
* @cred: is a #gnutls_certificate_credentials_t type.
* @cafile: is a file containing the list of trusted CAs (DER or PEM list)
* @type: is PEM or DER
*
* This function adds the trusted CAs in order to verify client or
* server certificates. In case of a client this is not required to
* be called if the certificates are not verified using
* gnutls_certificate_verify_peers2(). This function may be called
* multiple times.
*
* In case of a server the names of the CAs set here will be sent to
* the client if a certificate request is sent. This can be disabled
* using gnutls_certificate_send_x509_rdn_sequence().
*
* This function can also accept URLs. In that case it
* will import all certificates that are marked as trusted. Note
* that the supported URLs are the ones indicated by gnutls_url_is_supported().
*
* Returns: the number of certificates processed
**/
int
gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t
cred, const char *cafile,
gnutls_x509_crt_fmt_t type)
{
int ret;
ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL,
type, GNUTLS_TL_USE_IN_TLS, 0);
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
return 0;
return ret;
}
/**
* gnutls_certificate_set_x509_crl_file:
* @res: is a #gnutls_certificate_credentials_t type.
* @crlfile: is a file containing the list of verified CRLs (DER or PEM list)
* @type: is PEM or DER
*
* This function adds the trusted CRLs in order to verify client or server
* certificates. In case of a client this is not required
* to be called if the certificates are not verified using
* gnutls_certificate_verify_peers2().
* This function may be called multiple times.
*
* Returns: number of CRLs processed or a negative error code on error.
**/
int
gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t res,
const char *crlfile,
gnutls_x509_crt_fmt_t type)
{
int ret;
unsigned flags = GNUTLS_TL_USE_IN_TLS;
if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS)
flags |= GNUTLS_TL_VERIFY_CRL|GNUTLS_TL_FAIL_ON_INVALID_CRL;
ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile,
type, flags, 0);
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
return 0;
return ret;
}
/**
* gnutls_x509_trust_list_add_system_trust:
* @list: The structure of the list
* @tl_flags: GNUTLS_TL_*
* @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
*
* This function adds the system's default trusted certificate
* authorities to the trusted list. Note that on unsupported system
* this function returns %GNUTLS_E_UNIMPLEMENTED_FEATURE.
*
* Returns: The number of added elements or a negative error code on error.
*
* Since: 3.1
**/
int
gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
unsigned int tl_flags, unsigned int tl_vflags)
{
#if !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) && !defined(_WIN32)
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
#else
int ret, r = 0;
const char* crl_file =
# ifdef DEFAULT_CRL_FILE
DEFAULT_CRL_FILE;
# else
NULL;
# endif
# ifdef _WIN32
unsigned int i;
for (i=0;i<2;i++)
{
HCERTSTORE store;
const CERT_CONTEXT *cert;
const CRL_CONTEXT *crl;
gnutls_datum_t data;
if (i==0) store = CertOpenSystemStore(0, "ROOT");
else store = CertOpenSystemStore(0, "CA");
if (store == NULL) return GNUTLS_E_FILE_ERROR;
cert = CertEnumCertificatesInStore(store, NULL);
crl = Loaded_CertEnumCRLsInStore(store, NULL);
while(cert != NULL)
{
if (cert->dwCertEncodingType == X509_ASN_ENCODING)
{
data.data = cert->pbCertEncoded;
data.size = cert->cbCertEncoded;
if (gnutls_x509_trust_list_add_trust_mem(list, &data, NULL, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags) > 0)
r++;
}
cert = CertEnumCertificatesInStore(store, cert);
}
while(crl != NULL)
{
if (crl->dwCertEncodingType == X509_ASN_ENCODING)
{
data.data = crl->pbCrlEncoded;
data.size = crl->cbCrlEncoded;
gnutls_x509_trust_list_add_trust_mem(list, NULL, &data, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags);
}
crl = Loaded_CertEnumCRLsInStore(store, crl);
}
CertCloseStore(store, 0);
}
# endif
# if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_PKCS11, crl_file,
GNUTLS_X509_FMT_DER, tl_flags, tl_vflags);
if (ret > 0)
r += ret;
# endif
# ifdef DEFAULT_TRUST_STORE_FILE
ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_FILE, crl_file,
GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags);
if (ret > 0)
r += ret;
# endif
return r;
#endif
}
void doit(void)
{
char buf[128];
int exit_val = 0;
int ret;
unsigned j;
const char *lib, *bin;
gnutls_x509_crt_t issuer = NULL;
gnutls_x509_trust_list_t tl;
gnutls_x509_crt_t certs[MAX_CHAIN];
gnutls_x509_crt_t intermediate;
gnutls_datum_t tmp;
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
#ifdef _WIN32
exit(77);
#endif
bin = softhsm_bin();
lib = softhsm_lib();
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_pkcs11_set_pin_function(pin_func, NULL);
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
set_softhsm_conf(CONFIG);
snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin);
system(buf);
ret = gnutls_pkcs11_add_provider(lib, "trusted");
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
for (j = 0; ca_list[j]; j++) {
if (debug > 2)
printf("\tAdding certificate %d...",
(int) j);
ret = gnutls_x509_crt_init(&certs[j]);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_init[%d,%d]: %s\n",
(int) 3, (int) j,
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) ca_list[j];
tmp.size = strlen(ca_list[j]);
ret =
gnutls_x509_crt_import(certs[j], &tmp,
GNUTLS_X509_FMT_PEM);
if (debug > 2)
printf("done\n");
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_import[%d]: %s\n",
(int) j,
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(certs[j],
GNUTLS_CRT_PRINT_ONELINE,
&tmp);
if (debug)
printf("\tCertificate %d: %.*s\n", (int) j,
tmp.size, tmp.data);
gnutls_free(tmp.data);
}
if (debug > 2)
printf("\tAdding intermediate certificate...");
ret = gnutls_x509_crt_init(&intermediate);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) intermediate_str;
tmp.size = strlen(intermediate_str);
ret =
gnutls_x509_crt_import(intermediate, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
if (debug > 2)
printf("done\n");
gnutls_x509_crt_print(intermediate, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tIntermediate Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
if (debug)
printf("\tVerifying...");
/* initialize softhsm token */
ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test");
if (ret < 0) {
fail("gnutls_pkcs11_token_init\n");
exit(1);
}
/* write CA certificate to softhsm */
for (j = 0; ca_list[j]; j++) {
char name[64];
snprintf(name, sizeof(name), "test-ca%d", j);
ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO);
if (ret < 0) {
fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret));
exit(1);
}
}
/* try to extract an issuer when using an object URL
*/
gnutls_x509_trust_list_init(&tl, 0);
ret = gnutls_x509_trust_list_add_trust_file(tl, OBJ_URL, NULL, 0, 0, 0);
if (ret != 1) {
fail("gnutls_x509_trust_list_add_trust_file (with expl. object 0): %d\n", ret);
exit(1);
}
/* extract the issuer of the certificate */
ret = gnutls_x509_trust_list_get_issuer(tl, intermediate, &issuer, GNUTLS_TL_GET_COPY);
if (ret < 0) {
fail("gnutls_x509_trust_list_get_issuer (with expl. object) should have succeeded\n");
exit(1);
}
gnutls_x509_crt_deinit(issuer);
gnutls_x509_trust_list_deinit(tl, 0);
/* Try to extract issuers using PKCS #11 token URL
*/
gnutls_x509_trust_list_init(&tl, 0);
ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_trust_file\n");
exit(1);
}
/* extract the issuer of the certificate */
ret = gnutls_x509_trust_list_get_issuer(tl, intermediate, &issuer, GNUTLS_TL_GET_COPY);
if (ret < 0) {
fail("gnutls_x509_trust_list_get_issuer should have succeeded\n");
exit(1);
}
gnutls_x509_crt_deinit(issuer);
ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[2], GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
if (ret == 0) {
fail("error in gnutls_pkcs11_crt_is_known - 0\n");
exit(1);
}
ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[0], GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
if (ret == 0) {
fail("error in gnutls_pkcs11_crt_is_known - 0\n");
exit(1);
}
ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, certs[1], GNUTLS_PKCS11_OBJ_FLAG_COMPARE|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
if (ret == 0) {
fail("error in gnutls_pkcs11_crt_is_known - 0\n");
exit(1);
}
gnutls_x509_trust_list_deinit(tl, 0);
/* deinit */
if (debug)
printf("\tCleanup...");
gnutls_x509_crt_deinit(intermediate);
for (j = 0; ca_list[j]; j++) {
gnutls_x509_crt_deinit(certs[j]);
}
if (debug)
printf("done\n\n\n");
gnutls_global_deinit();
if (debug)
printf("Exit status...%d\n", exit_val);
remove(CONFIG);
exit(exit_val);
}
void doit(void)
{
char buf[128];
int exit_val = 0;
int ret;
unsigned j;
const char *lib, *bin;
gnutls_x509_crt_t issuer = NULL;
gnutls_x509_trust_list_t tl;
gnutls_x509_crt_t certs[MAX_CHAIN];
gnutls_x509_crt_t end, ca;
unsigned verify_status = 0;
gnutls_datum_t tmp;
/* The overloading of time() seems to work in linux (ELF?)
* systems only. Disable it on windows.
*/
#ifdef _WIN32
exit(77);
#endif
bin = softhsm_bin();
lib = softhsm_lib();
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_pkcs11_set_pin_function(pin_func, NULL);
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
set_softhsm_conf(CONFIG);
snprintf(buf, sizeof(buf), "%s --init-token --slot 0 --label test --so-pin "PIN" --pin "PIN, bin);
system(buf);
ret = gnutls_pkcs11_add_provider(lib, "trusted");
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
for (j = 0; ca_list[j]; j++) {
if (debug > 2)
printf("\tAdding certificate %d...",
(int) j);
ret = gnutls_x509_crt_init(&certs[j]);
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_init[%d,%d]: %s\n",
(int) 3, (int) j,
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) ca_list[j];
tmp.size = strlen(ca_list[j]);
ret =
gnutls_x509_crt_import(certs[j], &tmp,
GNUTLS_X509_FMT_PEM);
if (debug > 2)
printf("done\n");
if (ret < 0) {
fprintf(stderr,
"gnutls_x509_crt_import[%d]: %s\n",
(int) j,
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(certs[j],
GNUTLS_CRT_PRINT_ONELINE,
&tmp);
if (debug)
printf("\tCertificate %d: %.*s\n", (int) j,
tmp.size, tmp.data);
gnutls_free(tmp.data);
}
if (debug > 2)
printf("\tAdding end certificate...");
ret = gnutls_x509_crt_init(&end);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) v1_root_check[0];
tmp.size = strlen(v1_root_check[0]);
ret =
gnutls_x509_crt_import(end, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tEnd Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
ret = gnutls_x509_crt_init(&ca);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_init: %s\n",
gnutls_strerror(ret));
exit(1);
}
tmp.data = (unsigned char *) v1_root_check[1];
tmp.size = strlen(v1_root_check[1]);
ret =
gnutls_x509_crt_import(ca, &tmp, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
fprintf(stderr, "gnutls_x509_crt_import: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_print(end, GNUTLS_CRT_PRINT_ONELINE, &tmp);
if (debug)
printf("\tCA Certificate: %.*s\n", tmp.size,
tmp.data);
gnutls_free(tmp.data);
if (debug > 2)
printf("done\n");
if (debug)
printf("\tChecking presence and verification...");
/* initialize softhsm token */
ret = gnutls_pkcs11_token_init(SOFTHSM_URL, PIN, "test");
if (ret < 0) {
fail("gnutls_pkcs11_token_init\n");
exit(1);
}
/* write CA certificate to softhsm */
for (j = 0; ca_list[j]; j++) {
char name[64];
snprintf(name, sizeof(name), "test-ca%d", j);
ret = gnutls_pkcs11_copy_x509_crt(SOFTHSM_URL, certs[j], name, GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED|GNUTLS_PKCS11_OBJ_FLAG_LOGIN_SO);
if (ret < 0) {
fail("gnutls_pkcs11_copy_x509_crt: %s\n", gnutls_strerror(ret));
exit(1);
}
}
gnutls_x509_trust_list_init(&tl, 0);
ret = gnutls_x509_trust_list_add_trust_file(tl, SOFTHSM_URL, NULL, 0, 0, 0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_trust_file\n");
exit(1);
}
ret = gnutls_x509_trust_list_add_cas(tl, &ca, 1, 0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_cas\n");
exit(1);
}
/* extract the issuer of the certificate */
ret = gnutls_x509_trust_list_get_issuer(tl, end, &issuer, GNUTLS_TL_GET_COPY);
if (ret < 0) {
fail("gnutls_x509_trust_list_get_issuer should have succeeded\n");
exit(1);
}
gnutls_x509_crt_deinit(issuer);
ret = gnutls_pkcs11_crt_is_known(SOFTHSM_URL, ca, GNUTLS_PKCS11_OBJ_FLAG_COMPARE_KEY|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_TRUSTED);
if (ret != 0) {
fail("gnutls_pkcs11_crt_is_known should have failed!\n");
exit(1);
}
ret = gnutls_x509_trust_list_verify_crt2(tl, &end, 1,
NULL, 0,
GNUTLS_VERIFY_DISABLE_TIME_CHECKS, &verify_status, NULL);
if (ret < 0) {
fail("gnutls_x509_trust_list_verify_crt2 should have succeeded\n");
exit(1);
}
if (verify_status != 0) {
fail("verification should have succeeded: %.2x\n", verify_status);
exit(1);
}
if (debug)
printf("\tCleanup...");
gnutls_x509_trust_list_deinit(tl, 0);
gnutls_x509_crt_deinit(ca);
gnutls_x509_crt_deinit(end);
for (j = 0; ca_list[j]; j++) {
gnutls_x509_crt_deinit(certs[j]);
}
if (debug)
printf("done\n\n\n");
gnutls_global_deinit();
if (debug)
printf("Exit status...%d\n", exit_val);
remove(CONFIG);
exit(exit_val);
}
