/**
* gnutls_certificate_set_x509_trust_mem:
* @res: is a #gnutls_certificate_credentials_t type.
* @ca: is a list of trusted CAs or a DER certificate
* @type: is DER or PEM
*
* This function adds the trusted CAs in order to verify client or
* server certificates. In case of a client this is not required to be
* called if the certificates are not verified using
* gnutls_certificate_verify_peers2(). This function may be called
* multiple times.
*
* In case of a server the CAs set here will be sent to the client if
* a certificate request is sent. This can be disabled using
* gnutls_certificate_send_x509_rdn_sequence().
*
* Returns: the number of certificates processed or a negative error code
* on error.
**/
int
gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials_t res,
const gnutls_datum_t * ca,
gnutls_x509_crt_fmt_t type)
{
int ret;
ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, ca, NULL,
type, GNUTLS_TL_USE_IN_TLS, 0);
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
return 0;
return ret;
}
/**
* gnutls_x509_trust_list_add_trust_file:
* @list: The structure of the list
* @ca_file: A file containing a list of CAs (optional)
* @crl_file: A file containing a list of CRLs (optional)
* @type: The format of the certificates
* @tl_flags: GNUTLS_TL_*
* @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
*
* This function will add the given certificate authorities
* to the trusted list. pkcs11 URLs are also accepted, instead
* of files, by this function.
*
* Returns: The number of added elements is returned.
*
* Since: 3.1
**/
int
gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
const char* ca_file,
const char* crl_file,
gnutls_x509_crt_fmt_t type,
unsigned int tl_flags,
unsigned int tl_vflags)
{
gnutls_datum_t cas = { NULL, 0 };
gnutls_datum_t crls = { NULL, 0 };
size_t size;
int ret;
#ifdef ENABLE_PKCS11
if (strncmp (ca_file, "pkcs11:", 7) == 0)
{
ret = import_pkcs11_url(list, ca_file, tl_flags);
if (ret < 0)
return gnutls_assert_val(ret);
}
else
#endif
{
cas.data = (void*)read_binary_file (ca_file, &size);
if (cas.data == NULL)
{
gnutls_assert ();
return GNUTLS_E_FILE_ERROR;
}
cas.size = size;
}
if (crl_file)
{
crls.data = (void*)read_binary_file (crl_file, &size);
if (crls.data == NULL)
{
gnutls_assert ();
return GNUTLS_E_FILE_ERROR;
}
crls.size = size;
}
ret = gnutls_x509_trust_list_add_trust_mem(list, &cas, &crls, type, tl_flags, tl_vflags);
free(crls.data);
free(cas.data);
return ret;
}
/**
* gnutls_certificate_set_x509_crl_mem:
* @res: is a #gnutls_certificate_credentials_t type.
* @CRL: is a list of trusted CRLs. They should have been verified before.
* @type: is DER or PEM
*
* This function adds the trusted CRLs in order to verify client or
* server certificates. In case of a client this is not required to
* be called if the certificates are not verified using
* gnutls_certificate_verify_peers2(). This function may be called
* multiple times.
*
* Returns: number of CRLs processed, or a negative error code on error.
**/
int
gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t res,
const gnutls_datum_t * CRL,
gnutls_x509_crt_fmt_t type)
{
unsigned flags = GNUTLS_TL_USE_IN_TLS;
int ret;
if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS)
flags |= GNUTLS_TL_VERIFY_CRL|GNUTLS_TL_FAIL_ON_INVALID_CRL;
ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL,
type, flags, 0);
if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND)
return 0;
return ret;
}
/**
* gnutls_x509_trust_list_add_system_trust:
* @list: The structure of the list
* @tl_flags: GNUTLS_TL_*
* @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
*
* This function adds the system's default trusted certificate
* authorities to the trusted list. Note that on unsupported system
* this function returns %GNUTLS_E_UNIMPLEMENTED_FEATURE.
*
* Returns: The number of added elements or a negative error code on error.
*
* Since: 3.1
**/
int
gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
unsigned int tl_flags, unsigned int tl_vflags)
{
#if !defined(DEFAULT_TRUST_STORE_PKCS11) && !defined(DEFAULT_TRUST_STORE_FILE) && !defined(_WIN32)
return GNUTLS_E_UNIMPLEMENTED_FEATURE;
#else
int ret, r = 0;
const char* crl_file =
# ifdef DEFAULT_CRL_FILE
DEFAULT_CRL_FILE;
# else
NULL;
# endif
# ifdef _WIN32
unsigned int i;
for (i=0;i<2;i++)
{
HCERTSTORE store;
const CERT_CONTEXT *cert;
const CRL_CONTEXT *crl;
gnutls_datum_t data;
if (i==0) store = CertOpenSystemStore(0, "ROOT");
else store = CertOpenSystemStore(0, "CA");
if (store == NULL) return GNUTLS_E_FILE_ERROR;
cert = CertEnumCertificatesInStore(store, NULL);
crl = Loaded_CertEnumCRLsInStore(store, NULL);
while(cert != NULL)
{
if (cert->dwCertEncodingType == X509_ASN_ENCODING)
{
data.data = cert->pbCertEncoded;
data.size = cert->cbCertEncoded;
if (gnutls_x509_trust_list_add_trust_mem(list, &data, NULL, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags) > 0)
r++;
}
cert = CertEnumCertificatesInStore(store, cert);
}
while(crl != NULL)
{
if (crl->dwCertEncodingType == X509_ASN_ENCODING)
{
data.data = crl->pbCrlEncoded;
data.size = crl->cbCrlEncoded;
gnutls_x509_trust_list_add_trust_mem(list, NULL, &data, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags);
}
crl = Loaded_CertEnumCRLsInStore(store, crl);
}
CertCloseStore(store, 0);
}
# endif
# if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_PKCS11, crl_file,
GNUTLS_X509_FMT_DER, tl_flags, tl_vflags);
if (ret > 0)
r += ret;
# endif
# ifdef DEFAULT_TRUST_STORE_FILE
ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_FILE, crl_file,
GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags);
if (ret > 0)
r += ret;
# endif
return r;
#endif
}
/**
* gnutls_x509_trust_list_add_trust_file:
* @list: The list
* @ca_file: A file containing a list of CAs (optional)
* @crl_file: A file containing a list of CRLs (optional)
* @type: The format of the certificates
* @tl_flags: flags from %gnutls_trust_list_flags_t
* @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL
*
* This function will add the given certificate authorities
* to the trusted list. PKCS #11 URLs are also accepted, instead
* of files, by this function. A PKCS #11 URL implies a trust
* database (a specially marked module in p11-kit); the URL "pkcs11:"
* implies all trust databases in the system. Only a single URL specifying
* trust databases can be set; they cannot be stacked with multiple calls.
*
* Returns: The number of added elements is returned.
*
* Since: 3.1
**/
int
gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
const char *ca_file,
const char *crl_file,
gnutls_x509_crt_fmt_t type,
unsigned int tl_flags,
unsigned int tl_vflags)
{
gnutls_datum_t cas = { NULL, 0 };
gnutls_datum_t crls = { NULL, 0 };
size_t size;
int ret;
if (ca_file != NULL) {
#ifdef ENABLE_PKCS11
if (strncmp(ca_file, "pkcs11:", 7) == 0) {
unsigned pcrt_list_size = 0;
/* in case of a token URL import it as a PKCS #11 token,
* otherwise import the individual certificates.
*/
if (is_pkcs11_url_object(ca_file) != 0) {
return add_trust_list_pkcs11_object_url(list, ca_file, tl_flags);
} else { /* token */
if (list->pkcs11_token != NULL)
return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
list->pkcs11_token = gnutls_strdup(ca_file);
/* enumerate the certificates */
ret = gnutls_pkcs11_obj_list_import_url(NULL, &pcrt_list_size,
ca_file,
(GNUTLS_PKCS11_OBJ_FLAG_CRT|GNUTLS_PKCS11_OBJ_FLAG_MARK_CA|GNUTLS_PKCS11_OBJ_FLAG_MARK_TRUSTED),
0);
if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
return gnutls_assert_val(ret);
return pcrt_list_size;
}
} else
#endif
{
cas.data = (void *) read_binary_file(ca_file, &size);
if (cas.data == NULL) {
gnutls_assert();
return GNUTLS_E_FILE_ERROR;
}
cas.size = size;
}
}
if (crl_file) {
crls.data = (void *) read_binary_file(crl_file, &size);
if (crls.data == NULL) {
gnutls_assert();
return GNUTLS_E_FILE_ERROR;
}
crls.size = size;
}
ret =
gnutls_x509_trust_list_add_trust_mem(list, &cas, &crls, type,
tl_flags, tl_vflags);
free(crls.data);
free(cas.data);
return ret;
}
void doit(void)
{
int ret;
gnutls_datum_t data;
gnutls_x509_crt_t *crts;
unsigned int crts_size, i;
gnutls_x509_trust_list_t tl;
unsigned int status, flags = GNUTLS_VERIFY_ALLOW_UNSORTED_CHAIN;
unsigned int not_flags = GNUTLS_VERIFY_DO_NOT_ALLOW_UNSORTED_CHAIN;
/* this must be called once in the program
*/
global_init();
gnutls_global_set_time_function(mytime);
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(6);
/* test for gnutls_certificate_get_issuer() */
gnutls_x509_trust_list_init(&tl, 0);
ret =
gnutls_x509_trust_list_add_trust_mem(tl, &ca, NULL,
GNUTLS_X509_FMT_PEM, 0,
0);
if (ret < 0) {
fail("gnutls_x509_trust_list_add_trust_mem\n");
exit(1);
}
/* Chain 1 */
data.data = (void *) chain1;
data.size = sizeof(chain1);
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("gnutls_x509_crt_list_import2: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags,
&status, NULL);
if (ret < 0 || status != 0) {
fail("gnutls_x509_trust_list_verify_crt - 1\n");
exit(1);
}
for (i = 0; i < crts_size; i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
/* Chain 2 */
data.data = (void *) chain2;
data.size = sizeof(chain2);
/* verify whether the GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED flag is
* considered by gnutls_x509_crt_list_import2() */
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_FAIL_IF_UNSORTED);
if (ret != GNUTLS_E_CERTIFICATE_LIST_UNSORTED) {
fail("gnutls_x509_crt_list_import2 with flag GNUTLS_E_CERTIFICATE_LIST_UNSORTED on unsorted chain didn't fail: %s\n", gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("gnutls_x509_crt_list_import2: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags,
&status, NULL);
if (ret < 0 || status != 0) {
fail("gnutls_x509_trust_list_verify_crt - 2\n");
exit(1);
}
for (i = 0; i < crts_size; i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
/* Chain 3 */
data.data = (void *) chain3;
data.size = sizeof(chain3);
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("gnutls_x509_crt_list_import2: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags,
&status, NULL);
if (ret < 0 || status != 0) {
fail("gnutls_x509_trust_list_verify_crt - 3\n");
exit(1);
}
for (i = 0; i < crts_size; i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
/* Chain 4 */
data.data = (void *) chain4;
data.size = sizeof(chain4);
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("gnutls_x509_crt_list_import2: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_trust_list_verify_crt(tl, crts, crts_size, flags,
&status, NULL);
if (ret < 0 || status != 0) {
fail("gnutls_x509_trust_list_verify_crt - 4\n");
exit(1);
}
for (i = 0; i < crts_size; i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
/* Check if an unsorted list would fail if the unsorted flag is not given */
data.data = (void *) chain2;
data.size = sizeof(chain2);
ret =
gnutls_x509_crt_list_import2(&crts, &crts_size, &data,
GNUTLS_X509_FMT_PEM, 0);
if (ret < 0) {
fail("gnutls_x509_crt_list_import2: %s\n",
gnutls_strerror(ret));
exit(1);
}
ret =
gnutls_x509_trust_list_verify_crt(tl, crts, crts_size,
not_flags, &status, NULL);
if (ret < 0 || status == 0) {
fail("gnutls_x509_trust_list_verify_crt - 5\n");
exit(1);
}
for (i = 0; i < crts_size; i++)
gnutls_x509_crt_deinit(crts[i]);
gnutls_free(crts);
gnutls_x509_trust_list_deinit(tl, 1);
gnutls_global_deinit();
if (debug)
success("success");
}
void
doit (void)
{
int ret;
gnutls_datum_t data;
gnutls_x509_crt_t server_crt, ca_crt;
gnutls_x509_trust_list_t tl;
unsigned int status;
/* this must be called once in the program
*/
gnutls_global_init ();
gnutls_global_set_time_function (mytime);
gnutls_global_set_log_function (tls_log_func);
if (debug)
gnutls_global_set_log_level (6);
/* test for gnutls_certificate_get_issuer() */
gnutls_x509_trust_list_init(&tl, 0);
gnutls_x509_crt_init(&server_crt);
gnutls_x509_crt_init(&ca_crt);
ret = gnutls_x509_crt_import(server_crt, &cert, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import");
ret = gnutls_x509_crt_import(ca_crt, &ca, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail("gnutls_x509_crt_import");
ret = gnutls_x509_trust_list_add_cas(tl, &ca_crt, 1, 0);
if (ret < 0)
fail("gnutls_x509_trust_list_add_cas");
ret = gnutls_x509_trust_list_add_named_crt(tl, server_crt, NAME, NAME_SIZE, 0);
if (ret < 0)
fail("gnutls_x509_trust_list_add_named_crt");
ret = gnutls_x509_trust_list_verify_crt(tl, &server_crt, 1, 0, &status, NULL);
if (ret < 0 || status != 0)
fail("gnutls_x509_trust_list_verify_crt\n");
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE, 0, &status, NULL);
if (ret < 0 || status != 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, NAME, NAME_SIZE-1, 0, &status, NULL);
if (ret < 0 || status == 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
ret = gnutls_x509_trust_list_verify_named_crt(tl, server_crt, "other", 5, 0, &status, NULL);
if (ret < 0 || status == 0)
fail("gnutls_x509_trust_list_verify_named_crt: %d\n", __LINE__);
/* test convenience functions in verify-high2.c */
data.data = cert_pem;
data.size = strlen((char*)cert_pem);
ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_PEM, 0, 0);
if (ret < 1)
fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", __LINE__, gnutls_strerror(ret));
data.data = cert_der;
data.size = sizeof(cert_der);
ret = gnutls_x509_trust_list_add_trust_mem(tl, &data, NULL, GNUTLS_X509_FMT_DER, 0, 0);
if (ret < 1)
fail("gnutls_x509_trust_list_add_trust_mem: %d (%s)\n", __LINE__, gnutls_strerror(ret));
gnutls_x509_trust_list_deinit(tl, 1);
gnutls_global_deinit();
if (debug) success("success");
}
static
int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags,
unsigned int tl_vflags)
{
char path[GNUTLS_PATH_MAX];
unsigned int i;
int r = 0;
for (i = 0; i < 2; i++) {
HCERTSTORE store;
const CERT_CONTEXT *cert;
const CRL_CONTEXT *crl;
gnutls_datum_t data;
if (i == 0)
store = CertOpenSystemStore(0, "ROOT");
else
store = CertOpenSystemStore(0, "CA");
if (store == NULL)
return GNUTLS_E_FILE_ERROR;
cert = CertEnumCertificatesInStore(store, NULL);
crl = pCertEnumCRLsInStore(store, NULL);
while (cert != NULL) {
if (cert->dwCertEncodingType == X509_ASN_ENCODING) {
data.data = cert->pbCertEncoded;
data.size = cert->cbCertEncoded;
if (gnutls_x509_trust_list_add_trust_mem
(list, &data, NULL,
GNUTLS_X509_FMT_DER, tl_flags,
tl_vflags) > 0)
r++;
}
cert = CertEnumCertificatesInStore(store, cert);
}
while (crl != NULL) {
if (crl->dwCertEncodingType == X509_ASN_ENCODING) {
data.data = crl->pbCrlEncoded;
data.size = crl->cbCrlEncoded;
gnutls_x509_trust_list_add_trust_mem(list,
NULL,
&data,
GNUTLS_X509_FMT_DER,
tl_flags,
tl_vflags);
}
crl = pCertEnumCRLsInStore(store, crl);
}
CertCloseStore(store, 0);
}
#ifdef DEFAULT_BLACKLIST_FILE
ret = gnutls_x509_trust_list_remove_trust_file(list, DEFAULT_BLACKLIST_FILE, GNUTLS_X509_FMT_PEM);
if (ret < 0) {
_gnutls_debug_log("Could not load blacklist file '%s'\n", DEFAULT_BLACKLIST_FILE);
}
#endif
return r;
}
