/**
* gnutls_ocsp_req_print:
* @req: The data to be printed
* @format: Indicate the format to use
* @out: Newly allocated datum with (0) terminated string.
*
* This function will pretty print a OCSP request, suitable for
* display to a human.
*
* If the format is %GNUTLS_OCSP_PRINT_FULL then all fields of the
* request will be output, on multiple lines.
*
* The output @out->data needs to be deallocate using gnutls_free().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
gnutls_ocsp_req_print(gnutls_ocsp_req_t req,
gnutls_ocsp_print_formats_t format,
gnutls_datum_t * out)
{
gnutls_buffer_st str;
int rc;
if (format != GNUTLS_OCSP_PRINT_FULL) {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
_gnutls_buffer_init(&str);
_gnutls_buffer_append_str(&str, _("OCSP Request Information:\n"));
print_req(&str, req);
rc = _gnutls_buffer_to_datum(&str, out, 1);
if (rc != GNUTLS_E_SUCCESS) {
gnutls_assert();
return rc;
}
return GNUTLS_E_SUCCESS;
}
/**
* gnutls_ocsp_resp_print:
* @resp: The structure to be printed
* @format: Indicate the format to use
* @out: Newly allocated datum with (0) terminated string.
*
* This function will pretty print a OCSP response, suitable for
* display to a human.
*
* If the format is %GNUTLS_OCSP_PRINT_FULL then all fields of the
* response will be output, on multiple lines.
*
* The output @out->data needs to be deallocate using gnutls_free().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int
gnutls_ocsp_resp_print (gnutls_ocsp_resp_t resp,
gnutls_ocsp_print_formats_t format,
gnutls_datum_t * out)
{
gnutls_buffer_st str;
int rc;
_gnutls_buffer_init (&str);
_gnutls_buffer_append_str (&str, _("OCSP Response Information:\n"));
print_resp (&str, resp, format);
_gnutls_buffer_append_data (&str, "\0", 1);
rc = _gnutls_buffer_to_datum (&str, out);
if (rc != GNUTLS_E_SUCCESS)
{
gnutls_assert ();
return rc;
}
return GNUTLS_E_SUCCESS;
}
/**
* gnutls_openpgp_crt_print:
* @cert: The structure to be printed
* @format: Indicate the format to use
* @out: Newly allocated datum with (0) terminated string.
*
* This function will pretty print an OpenPGP certificate, suitable
* for display to a human.
*
* The format should be (0) for future compatibility.
*
* The output @out needs to be deallocate using gnutls_free().
*
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
int
gnutls_openpgp_crt_print(gnutls_openpgp_crt_t cert,
gnutls_certificate_print_formats_t format,
gnutls_datum_t * out)
{
gnutls_buffer_st str;
int ret;
_gnutls_buffer_init(&str);
if (format == GNUTLS_CRT_PRINT_ONELINE)
print_oneline(&str, cert);
else if (format == GNUTLS_CRT_PRINT_COMPACT) {
print_oneline(&str, cert);
_gnutls_buffer_append_data(&str, "\n", 1);
print_key_fingerprint(&str, cert);
} else {
_gnutls_buffer_append_str(&str,
_
("OpenPGP Certificate Information:\n"));
print_cert(&str, cert);
}
_gnutls_buffer_append_data(&str, "\0", 1);
ret = _gnutls_buffer_to_datum(&str, out);
if (out->size > 0)
out->size--;
return ret;
}
int
_gnutls_x509_get_dn(ASN1_TYPE asn1_struct,
const char *asn1_rdn_name, gnutls_datum_t * dn,
unsigned flags)
{
gnutls_buffer_st out_str;
int i, k1, result;
_gnutls_buffer_init(&out_str);
result = asn1_number_of_elements(asn1_struct, asn1_rdn_name, &k1);
if (result != ASN1_SUCCESS) {
if (result == ASN1_ELEMENT_NOT_FOUND || result == ASN1_VALUE_NOT_FOUND) {
result = gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE);
} else {
gnutls_assert();
result = _gnutls_asn2err(result);
}
goto cleanup;
}
if (k1 == 0) {
gnutls_assert();
result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
goto cleanup;
}
if (flags & GNUTLS_X509_DN_FLAG_COMPAT) {
for (i=0;i<k1;i++) {
result = append_elements(asn1_struct, asn1_rdn_name, &out_str, i+1, (i==(k1-1))?1:0);
if (result < 0) {
gnutls_assert();
goto cleanup;
}
}
} else {
while (k1 > 0) {
result = append_elements(asn1_struct, asn1_rdn_name, &out_str, k1, k1==1?1:0);
if (result < 0) {
gnutls_assert();
goto cleanup;
}
k1--;
}
}
return _gnutls_buffer_to_datum(&out_str, dn, 1);
cleanup:
_gnutls_buffer_clear(&out_str);
return result;
}
int _gnutls_krb5_der_to_principal(const gnutls_datum_t * der,
gnutls_datum_t * name)
{
int ret, result;
ASN1_TYPE c2 = ASN1_TYPE_EMPTY;
gnutls_buffer_st str;
_gnutls_buffer_init(&str);
result =
asn1_create_element(_gnutls_get_gnutls_asn(),
"GNUTLS.KRB5PrincipalName", &c2);
if (result != ASN1_SUCCESS) {
gnutls_assert();
ret = _gnutls_asn2err(result);
goto cleanup;
}
result = asn1_der_decoding(&c2, der->data, der->size, NULL);
if (result != ASN1_SUCCESS) {
gnutls_assert();
ret = _gnutls_asn2err(result);
goto cleanup;
}
ret = principal_to_str(c2, &str);
if (ret < 0) {
/* for some reason we cannot convert to a human readable string
* the principal. Then we use the #HEX format.
*/
_gnutls_buffer_reset(&str);
ret = _gnutls_buffer_append_data(&str, "#", 1);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
_gnutls_buffer_hexprint(&str, der->data, der->size);
}
asn1_delete_structure(&c2);
return _gnutls_buffer_to_datum(&str, name, 1);
cleanup:
_gnutls_buffer_clear(&str);
asn1_delete_structure(&c2);
return ret;
}
/**
* gnutls_certificate_verification_status_print:
* @status: The status flags to be printed
* @type: The certificate type
* @out: Newly allocated datum with (0) terminated string.
* @flags: should be zero
*
* This function will pretty print the status of a verification
* process -- eg. the one obtained by gnutls_certificate_verify_peers3().
*
* The output @out needs to be deallocated using gnutls_free().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
*
* Since: 3.1.4
**/
int
gnutls_certificate_verification_status_print (unsigned int status,
gnutls_certificate_type_t type,
gnutls_datum_t * out, unsigned int flags)
{
gnutls_buffer_st str;
int ret;
_gnutls_buffer_init (&str);
if (status == 0)
_gnutls_buffer_append_str (&str, _("The certificate is trusted. "));
else
_gnutls_buffer_append_str (&str, _("The certificate is NOT trusted. "));
if (type == GNUTLS_CRT_X509)
{
if (status & GNUTLS_CERT_REVOKED)
_gnutls_buffer_append_str (&str, _("The certificate chain is revoked. "));
if (status & GNUTLS_CERT_MISMATCH)
_gnutls_buffer_append_str (&str, _("The certificate doesn't match the local copy (TOFU). "));
if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED)
_gnutls_buffer_append_str (&str, _("The revocation data are old and have been superseded. "));
if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
_gnutls_buffer_append_str (&str, _("The revocation data are issued with a future date. "));
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
_gnutls_buffer_append_str (&str, _("The certificate issuer is unknown. "));
if (status & GNUTLS_CERT_SIGNER_NOT_CA)
_gnutls_buffer_append_str (&str, _("The certificate issuer is not a CA. "));
}
else if (type == GNUTLS_CRT_OPENPGP)
{
_gnutls_buffer_append_str (&str, _("The certificate is not trusted. "));
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
_gnutls_buffer_append_str (&str, _("Could not find a signer of the certificate. "));
if (status & GNUTLS_CERT_REVOKED)
_gnutls_buffer_append_str (&str, _("The certificate is revoked. "));
}
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
_gnutls_buffer_append_str (&str, _("The certificate chain uses insecure algorithm. "));
if (status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE)
_gnutls_buffer_append_str (&str, _("The certificate chain violates the signer's constraints. "));
if (status & GNUTLS_CERT_NOT_ACTIVATED)
_gnutls_buffer_append_str (&str, _("The certificate chain uses not yet valid certificate. "));
if (status & GNUTLS_CERT_EXPIRED)
_gnutls_buffer_append_str (&str, _("The certificate chain uses expired certificate. "));
if (status & GNUTLS_CERT_SIGNATURE_FAILURE)
_gnutls_buffer_append_str (&str, _("The signature in the certificate is invalid. "));
if (status & GNUTLS_CERT_UNEXPECTED_OWNER)
_gnutls_buffer_append_str (&str, _("The name in the certificate does not match the expected. "));
ret = _gnutls_buffer_to_datum( &str, out);
if (out->size > 0) out->size--;
return ret;
}
/* Since auth_info structures contain malloced data, this function
* is required in order to pack these structures in a vector in
* order to store them to the DB.
*
* packed_session will contain the session data.
*
* The data will be in a platform independent format.
*/
int
_gnutls_session_pack (gnutls_session_t session,
gnutls_datum_t * packed_session)
{
int ret;
gnutls_buffer_st sb;
opaque id;
if (packed_session == NULL)
{
gnutls_assert ();
return GNUTLS_E_INTERNAL_ERROR;
}
_gnutls_buffer_init (&sb);
id = gnutls_auth_get_type (session);
BUFFER_APPEND (&sb, &id, 1);
switch (id)
{
#ifdef ENABLE_SRP
case GNUTLS_CRD_SRP:
ret = pack_srp_auth_info (session, &sb);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
break;
#endif
#ifdef ENABLE_PSK
case GNUTLS_CRD_PSK:
ret = pack_psk_auth_info (session, &sb);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
break;
#endif
#ifdef ENABLE_ANON
case GNUTLS_CRD_ANON:
ret = pack_anon_auth_info (session, &sb);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
break;
#endif
case GNUTLS_CRD_CERTIFICATE:
ret = pack_certificate_auth_info (session, &sb);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
break;
default:
return GNUTLS_E_INTERNAL_ERROR;
}
/* Auth_info structures copied. Now copy security_parameters_st.
* packed_session must have allocated space for the security parameters.
*/
ret = pack_security_parameters (session, &sb);
if (ret < 0)
{
gnutls_assert ();
_gnutls_buffer_clear (&sb);
return ret;
}
ret = _gnutls_ext_pack (session, &sb);
if (ret < 0)
{
gnutls_assert ();
_gnutls_buffer_clear (&sb);
return ret;
}
ret = _gnutls_buffer_to_datum (&sb, packed_session);
return ret;
}
static int encode_tpmkey_url(char **url, const TSS_UUID * uuid,
TSS_FLAG storage)
{
size_t size = (UUID_SIZE * 2 + 4) * 2 + 32;
uint8_t u1[UUID_SIZE];
gnutls_buffer_st buf;
gnutls_datum_t dret;
int ret;
*url = gnutls_malloc(size);
if (*url == NULL)
return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
_gnutls_buffer_init(&buf);
memcpy(u1, &uuid->ulTimeLow, 4);
memcpy(&u1[4], &uuid->usTimeMid, 2);
memcpy(&u1[6], &uuid->usTimeHigh, 2);
u1[8] = uuid->bClockSeqHigh;
u1[9] = uuid->bClockSeqLow;
memcpy(&u1[10], uuid->rgbNode, 6);
ret = _gnutls_buffer_append_str(&buf, "tpmkey:uuid=");
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
_gnutls_buffer_append_printf(&buf,
"%.2x%.2x%.2x%.2x-%.2x%.2x-%.2x%.2x-%.2x%.2x-%.2x%.2x%.2x%.2x%.2x%.2x",
(unsigned int) u1[0],
(unsigned int) u1[1],
(unsigned int) u1[2],
(unsigned int) u1[3],
(unsigned int) u1[4],
(unsigned int) u1[5],
(unsigned int) u1[6],
(unsigned int) u1[7],
(unsigned int) u1[8],
(unsigned int) u1[9],
(unsigned int) u1[10],
(unsigned int) u1[11],
(unsigned int) u1[12],
(unsigned int) u1[13],
(unsigned int) u1[14],
(unsigned int) u1[15]);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
_gnutls_buffer_append_printf(&buf, ";storage=%s",
(storage ==
TSS_PS_TYPE_USER) ? "user" :
"system");
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = _gnutls_buffer_to_datum(&buf, &dret);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
*url = (char *) dret.data;
return 0;
cleanup:
_gnutls_buffer_clear(&buf);
return ret;
}
int
_gnutls_x509_get_dn(ASN1_TYPE asn1_struct,
const char *asn1_rdn_name, gnutls_datum_t * dn)
{
gnutls_buffer_st out_str;
int k2, k1, result;
char tmpbuffer1[ASN1_MAX_NAME_SIZE];
char tmpbuffer2[ASN1_MAX_NAME_SIZE];
char tmpbuffer3[ASN1_MAX_NAME_SIZE];
uint8_t value[MAX_STRING_LEN];
gnutls_datum_t td = { NULL, 0 }, tvd = {
NULL, 0};
const char *ldap_desc;
char oid[MAX_OID_SIZE];
int len;
_gnutls_buffer_init(&out_str);
k1 = 0;
do {
k1++;
/* create a string like "tbsCertList.issuer.rdnSequence.?1"
*/
if (asn1_rdn_name[0] != 0)
snprintf(tmpbuffer1, sizeof(tmpbuffer1), "%s.?%u",
asn1_rdn_name, k1);
else
snprintf(tmpbuffer1, sizeof(tmpbuffer1), "?%u",
k1);
len = sizeof(value) - 1;
result =
asn1_read_value(asn1_struct, tmpbuffer1, value, &len);
if (result == ASN1_ELEMENT_NOT_FOUND) {
if (k1 == 1) {
gnutls_assert();
result = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
goto cleanup;
}
break;
}
if (result != ASN1_VALUE_NOT_FOUND) {
gnutls_assert();
result = _gnutls_asn2err(result);
goto cleanup;
}
k2 = 0;
do { /* Move to the attibute type and values
*/
k2++;
if (tmpbuffer1[0] != 0)
snprintf(tmpbuffer2, sizeof(tmpbuffer2),
"%s.?%u", tmpbuffer1, k2);
else
snprintf(tmpbuffer2, sizeof(tmpbuffer2),
"?%u", k2);
/* Try to read the RelativeDistinguishedName attributes.
*/
len = sizeof(value) - 1;
result =
asn1_read_value(asn1_struct, tmpbuffer2, value,
&len);
if (result == ASN1_ELEMENT_NOT_FOUND)
break;
if (result != ASN1_VALUE_NOT_FOUND) {
gnutls_assert();
result = _gnutls_asn2err(result);
goto cleanup;
}
/* Read the OID
*/
_gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3),
tmpbuffer2);
_gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3),
".type");
len = sizeof(oid) - 1;
result =
asn1_read_value(asn1_struct, tmpbuffer3, oid,
&len);
if (result == ASN1_ELEMENT_NOT_FOUND)
break;
else if (result != ASN1_SUCCESS) {
gnutls_assert();
result = _gnutls_asn2err(result);
goto cleanup;
}
/* Read the Value
*/
_gnutls_str_cpy(tmpbuffer3, sizeof(tmpbuffer3),
tmpbuffer2);
_gnutls_str_cat(tmpbuffer3, sizeof(tmpbuffer3),
".value");
len = 0;
result =
_gnutls_x509_read_value(asn1_struct,
tmpbuffer3, &tvd);
if (result < 0) {
gnutls_assert();
goto cleanup;
}
#define STR_APPEND(y) if ((result=_gnutls_buffer_append_str( &out_str, y)) < 0) { \
gnutls_assert(); \
goto cleanup; \
}
#define DATA_APPEND(x,y) if ((result=_gnutls_buffer_append_data( &out_str, x,y)) < 0) { \
gnutls_assert(); \
goto cleanup; \
}
/* The encodings of adjoining RelativeDistinguishedNames are separated
* by a comma character (',' ASCII 44).
*/
/* Where there is a multi-valued RDN, the outputs from adjoining
* AttributeTypeAndValues are separated by a plus ('+' ASCII 43)
* character.
*/
if (k1 != 1) { /* the first time do not append a comma */
if (k2 != 1) { /* adjoining multi-value RDN */
STR_APPEND("+");
} else {
STR_APPEND(",");
}
}
ldap_desc =
gnutls_x509_dn_oid_name(oid,
GNUTLS_X509_DN_OID_RETURN_OID);
STR_APPEND(ldap_desc);
STR_APPEND("=");
result =
_gnutls_x509_dn_to_string(oid, tvd.data,
tvd.size, &td);
if (result < 0) {
gnutls_assert();
_gnutls_debug_log
("Cannot parse OID: '%s' with value '%s'\n",
oid, _gnutls_bin2hex(tvd.data,
tvd.size,
tmpbuffer3,
sizeof
(tmpbuffer3),
NULL));
goto cleanup;
}
DATA_APPEND(td.data, td.size);
_gnutls_free_datum(&td);
_gnutls_free_datum(&tvd);
}
while (1);
}
while (1);
result = _gnutls_buffer_to_datum(&out_str, dn, 1);
if (result < 0)
gnutls_assert();
goto cleanup1;
cleanup:
_gnutls_buffer_clear(&out_str);
cleanup1:
_gnutls_free_datum(&td);
_gnutls_free_datum(&tvd);
return result;
}
/**
* gnutls_pkcs7_crt_print:
* @pkcs7: The PKCS7 struct to be printed
* @format: Indicate the format to use
* @out: Newly allocated datum with null terminated string.
*
* This function will pretty print a signed PKCS #7 structure, suitable for
* display to a human.
*
* Currently the supported formats are %GNUTLS_CRT_PRINT_FULL and
* %GNUTLS_CRT_PRINT_COMPACT.
*
* The output @out needs to be deallocated using gnutls_free().
*
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
* negative error value.
**/
int gnutls_pkcs7_print(gnutls_pkcs7_t pkcs7,
gnutls_certificate_print_formats_t format,
gnutls_datum_t * out)
{
int count, ret, i;
gnutls_pkcs7_signature_info_st info;
gnutls_buffer_st str;
const char *oid;
_gnutls_buffer_init(&str);
/* For backwards compatibility with structures using the default OID,
* we don't print the eContent Type explicitly */
oid = gnutls_pkcs7_get_embedded_data_oid(pkcs7);
if (oid) {
if (strcmp(oid, DATA_OID) != 0
&& strcmp(oid, DIGESTED_DATA_OID) != 0) {
addf(&str, "eContent Type: %s\n", oid);
}
}
for (i = 0;; i++) {
if (i == 0)
addf(&str, "Signers:\n");
ret = gnutls_pkcs7_get_signature_info(pkcs7, i, &info);
if (ret < 0)
break;
print_pkcs7_info(&info, &str, format);
gnutls_pkcs7_signature_info_deinit(&info);
}
if (format == GNUTLS_CRT_PRINT_FULL) {
gnutls_datum_t data, b64;
count = gnutls_pkcs7_get_crt_count(pkcs7);
if (count > 0) {
addf(&str, "Number of certificates: %u\n\n",
count);
for (i = 0; i < count; i++) {
ret =
gnutls_pkcs7_get_crt_raw2(pkcs7, i, &data);
if (ret < 0) {
addf(&str,
"Error: cannot print certificate %d\n",
i);
continue;
}
ret =
gnutls_pem_base64_encode_alloc
("CERTIFICATE", &data, &b64);
if (ret < 0) {
gnutls_free(data.data);
continue;
}
adds(&str, (char*)b64.data);
adds(&str, "\n");
gnutls_free(b64.data);
gnutls_free(data.data);
}
}
count = gnutls_pkcs7_get_crl_count(pkcs7);
if (count > 0) {
addf(&str, "Number of CRLs: %u\n\n", count);
for (i = 0; i < count; i++) {
ret =
gnutls_pkcs7_get_crl_raw2(pkcs7, i, &data);
if (ret < 0) {
addf(&str,
"Error: cannot print certificate %d\n",
i);
continue;
}
ret =
gnutls_pem_base64_encode_alloc("X509 CRL",
&data, &b64);
if (ret < 0) {
gnutls_free(data.data);
continue;
}
adds(&str, (char*)b64.data);
adds(&str, "\n");
gnutls_free(b64.data);
gnutls_free(data.data);
}
}
}
return _gnutls_buffer_to_datum(&str, out, 1);
}
