void certificate_credentials:: set_simple_pkcs12_file (const char *pkcs12file, gnutls_x509_crt_fmt_t type, const char *password) { RETWRAP (gnutls_certificate_set_x509_simple_pkcs12_file (cred, pkcs12file, type, password)); }
void doit(void) { gnutls_certificate_credentials_t x509cred; const char *path; unsigned int i; char file[512]; int ret; if (gnutls_fips140_mode_enabled()) { exit(77); } ret = global_init(); if (ret < 0) fail("global_init failed %d\n", ret); gnutls_global_set_log_function(tls_log_func); if (debug) gnutls_global_set_log_level(4711); for (i = 0; files[i].file != NULL; i++) { ret = gnutls_certificate_allocate_credentials(&x509cred); if (ret < 0) fail("gnutls_certificate_allocate_credentials failed %d\n", ret); path = getenv("PKCS12PATH"); if (!path) path = "cert-tests/data/"; snprintf(file, sizeof(file), "%s/%s", path, files[i].file); if (debug) success ("Reading PKCS#12 blob from `%s' using password `%s'.\n", file, files[i].pass); ret = gnutls_certificate_set_x509_simple_pkcs12_file(x509cred, file, GNUTLS_X509_FMT_DER, files[i]. pass); if (ret < 0) fail("x509_pkcs12 failed %d: %s\n", ret, gnutls_strerror(ret)); if (debug) success("Read file OK\n"); gnutls_certificate_free_credentials(x509cred); } gnutls_global_deinit(); }
int tls_global_set_params(void *tls_ctx, const struct tls_connection_params *params) { struct tls_global *global = tls_ctx; int ret; /* Currently, global parameters are only set when running in server * mode. */ global->server = 1; if (global->params_set) { gnutls_certificate_free_credentials(global->xcred); global->params_set = 0; } ret = gnutls_certificate_allocate_credentials(&global->xcred); if (ret) { wpa_printf(MSG_DEBUG, "Failed to allocate global credentials " "%s", gnutls_strerror(ret)); return -1; } if (params->ca_cert) { ret = gnutls_certificate_set_x509_trust_file( global->xcred, params->ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read CA cert '%s' " "in PEM format: %s", params->ca_cert, gnutls_strerror(ret)); ret = gnutls_certificate_set_x509_trust_file( global->xcred, params->ca_cert, GNUTLS_X509_FMT_DER); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read CA cert " "'%s' in DER format: %s", params->ca_cert, gnutls_strerror(ret)); goto fail; } } } if (params->client_cert && params->private_key) { /* TODO: private_key_passwd? */ ret = gnutls_certificate_set_x509_key_file( global->xcred, params->client_cert, params->private_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read client cert/key " "in PEM format: %s", gnutls_strerror(ret)); ret = gnutls_certificate_set_x509_key_file( global->xcred, params->client_cert, params->private_key, GNUTLS_X509_FMT_DER); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read client " "cert/key in DER format: %s", gnutls_strerror(ret)); goto fail; } } } else if (params->private_key) { int pkcs12_ok = 0; #ifdef PKCS12_FUNCS /* Try to load in PKCS#12 format */ #if LIBGNUTLS_VERSION_NUMBER >= 0x010302 ret = gnutls_certificate_set_x509_simple_pkcs12_file( global->xcred, params->private_key, GNUTLS_X509_FMT_DER, params->private_key_passwd); if (ret != 0) { wpa_printf(MSG_DEBUG, "Failed to load private_key in " "PKCS#12 format: %s", gnutls_strerror(ret)); goto fail; } else pkcs12_ok = 1; #endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010302 */ #endif /* PKCS12_FUNCS */ if (!pkcs12_ok) { wpa_printf(MSG_DEBUG, "GnuTLS: PKCS#12 support not " "included"); goto fail; } } global->params_set = 1; return 0; fail: gnutls_certificate_free_credentials(global->xcred); return -1; }
int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, const struct tls_connection_params *params) { int ret; if (conn == NULL || params == NULL) return -1; os_free(conn->subject_match); conn->subject_match = NULL; if (params->subject_match) { conn->subject_match = os_strdup(params->subject_match); if (conn->subject_match == NULL) return -1; } os_free(conn->altsubject_match); conn->altsubject_match = NULL; if (params->altsubject_match) { conn->altsubject_match = os_strdup(params->altsubject_match); if (conn->altsubject_match == NULL) return -1; } /* TODO: gnutls_certificate_set_verify_flags(xcred, flags); * to force peer validation(?) */ if (params->ca_cert) { conn->verify_peer = 1; ret = gnutls_certificate_set_x509_trust_file( conn->xcred, params->ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read CA cert '%s' " "in PEM format: %s", params->ca_cert, gnutls_strerror(ret)); ret = gnutls_certificate_set_x509_trust_file( conn->xcred, params->ca_cert, GNUTLS_X509_FMT_DER); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read CA cert " "'%s' in DER format: %s", params->ca_cert, gnutls_strerror(ret)); return -1; } } } if (params->client_cert && params->private_key) { /* TODO: private_key_passwd? */ ret = gnutls_certificate_set_x509_key_file( conn->xcred, params->client_cert, params->private_key, GNUTLS_X509_FMT_PEM); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read client cert/key " "in PEM format: %s", gnutls_strerror(ret)); ret = gnutls_certificate_set_x509_key_file( conn->xcred, params->client_cert, params->private_key, GNUTLS_X509_FMT_DER); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read client " "cert/key in DER format: %s", gnutls_strerror(ret)); return ret; } } } else if (params->private_key) { int pkcs12_ok = 0; #ifdef PKCS12_FUNCS /* Try to load in PKCS#12 format */ #if LIBGNUTLS_VERSION_NUMBER >= 0x010302 ret = gnutls_certificate_set_x509_simple_pkcs12_file( conn->xcred, params->private_key, GNUTLS_X509_FMT_DER, params->private_key_passwd); if (ret != 0) { wpa_printf(MSG_DEBUG, "Failed to load private_key in " "PKCS#12 format: %s", gnutls_strerror(ret)); return -1; } else pkcs12_ok = 1; #endif /* LIBGNUTLS_VERSION_NUMBER >= 0x010302 */ #endif /* PKCS12_FUNCS */ if (!pkcs12_ok) { wpa_printf(MSG_DEBUG, "GnuTLS: PKCS#12 support not " "included"); return -1; } } conn->tls_ia = params->tls_ia; conn->params_set = 1; ret = gnutls_credentials_set(conn->session, GNUTLS_CRD_CERTIFICATE, conn->xcred); if (ret < 0) { wpa_printf(MSG_INFO, "Failed to configure credentials: %s", gnutls_strerror(ret)); } #ifdef GNUTLS_IA if (conn->iacred_cli) gnutls_ia_free_client_credentials(conn->iacred_cli); ret = gnutls_ia_allocate_client_credentials(&conn->iacred_cli); if (ret) { wpa_printf(MSG_DEBUG, "Failed to allocate IA credentials: %s", gnutls_strerror(ret)); return -1; } ret = gnutls_credentials_set(conn->session, GNUTLS_CRD_IA, conn->iacred_cli); if (ret) { wpa_printf(MSG_DEBUG, "Failed to configure IA credentials: %s", gnutls_strerror(ret)); gnutls_ia_free_client_credentials(conn->iacred_cli); conn->iacred_cli = NULL; return -1; } #endif /* GNUTLS_IE */ return ret; }
void doit (void) { gnutls_certificate_credentials_t x509cred; const char *file, *password; int ret; ret = gnutls_global_init (); if (ret < 0) fail ("gnutls_global_init failed %d\n", ret); ret = gnutls_certificate_allocate_credentials (&x509cred); if (ret < 0) fail ("gnutls_certificate_allocate_credentials failed %d\n", ret); file = getenv ("PKCS12FILE"); password = getenv ("PKCS12PASSWORD"); if (!file) file = "pkcs12-decode/client.p12"; if (!password) password = "******"; if (debug) success ("Reading PKCS#12 blob from `%s' using password `%s'.\n", file, password); ret = gnutls_certificate_set_x509_simple_pkcs12_file (x509cred, file, GNUTLS_X509_FMT_DER, password); if (ret < 0) fail ("x509_pkcs12 failed %d: %s\n", ret, gnutls_strerror (ret)); if (debug) success ("Read file OK\n"); gnutls_certificate_free_credentials (x509cred); /* try now if we can read correctly from a pkcs12 file that * contains two certificates (one unrelated with key) */ ret = gnutls_certificate_allocate_credentials (&x509cred); if (ret < 0) fail ("gnutls_certificate_allocate_credentials failed %d\n", ret); file = getenv ("PKCS12FILE_2"); password = getenv ("PKCS12PASSWORD_2"); if (!file) file = "pkcs12-decode/pkcs12_2certs.p12"; if (!password) password = ""; if (debug) success ("Reading PKCS#12 blob from `%s' using password `%s'.\n", file, password); ret = gnutls_certificate_set_x509_simple_pkcs12_file (x509cred, file, GNUTLS_X509_FMT_DER, password); if (ret < 0) fail ("x509_pkcs12 failed %d: %s\n", ret, gnutls_strerror (ret)); if (debug) success ("Read file OK\n"); gnutls_certificate_free_credentials (x509cred); gnutls_global_deinit (); }
int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, const struct tls_connection_params *params) { int ret; if (conn == NULL || params == NULL) return -1; if (params->flags & TLS_CONN_EXT_CERT_CHECK) { wpa_printf(MSG_INFO, "GnuTLS: tls_ext_cert_check=1 not supported"); return -1; } if (params->subject_match) { wpa_printf(MSG_INFO, "GnuTLS: subject_match not supported"); return -1; } if (params->altsubject_match) { wpa_printf(MSG_INFO, "GnuTLS: altsubject_match not supported"); return -1; } os_free(conn->suffix_match); conn->suffix_match = NULL; if (params->suffix_match) { conn->suffix_match = os_strdup(params->suffix_match); if (conn->suffix_match == NULL) return -1; } #if GNUTLS_VERSION_NUMBER >= 0x030300 os_free(conn->domain_match); conn->domain_match = NULL; if (params->domain_match) { conn->domain_match = os_strdup(params->domain_match); if (conn->domain_match == NULL) return -1; } #else /* < 3.3.0 */ if (params->domain_match) { wpa_printf(MSG_INFO, "GnuTLS: domain_match not supported"); return -1; } #endif /* >= 3.3.0 */ conn->flags = params->flags; if (params->openssl_ciphers) { wpa_printf(MSG_INFO, "GnuTLS: openssl_ciphers not supported"); return -1; } /* TODO: gnutls_certificate_set_verify_flags(xcred, flags); * to force peer validation(?) */ if (params->ca_cert) { wpa_printf(MSG_DEBUG, "GnuTLS: Try to parse %s in DER format", params->ca_cert); ret = gnutls_certificate_set_x509_trust_file( conn->xcred, params->ca_cert, GNUTLS_X509_FMT_DER); if (ret < 0) { wpa_printf(MSG_DEBUG, "GnuTLS: Failed to read CA cert '%s' in DER format (%s) - try in PEM format", params->ca_cert, gnutls_strerror(ret)); ret = gnutls_certificate_set_x509_trust_file( conn->xcred, params->ca_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read CA cert '%s' in PEM format: %s", params->ca_cert, gnutls_strerror(ret)); return -1; } } } else if (params->ca_cert_blob) { gnutls_datum_t ca; ca.data = (unsigned char *) params->ca_cert_blob; ca.size = params->ca_cert_blob_len; ret = gnutls_certificate_set_x509_trust_mem( conn->xcred, &ca, GNUTLS_X509_FMT_DER); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to parse CA cert in DER format: %s", gnutls_strerror(ret)); ret = gnutls_certificate_set_x509_trust_mem( conn->xcred, &ca, GNUTLS_X509_FMT_PEM); if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to parse CA cert in PEM format: %s", gnutls_strerror(ret)); return -1; } } } else if (params->ca_path) { wpa_printf(MSG_INFO, "GnuTLS: ca_path not supported"); return -1; } conn->disable_time_checks = 0; if (params->ca_cert || params->ca_cert_blob) { conn->verify_peer = 1; gnutls_certificate_set_verify_function( conn->xcred, tls_connection_verify_peer); if (params->flags & TLS_CONN_ALLOW_SIGN_RSA_MD5) { gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5); } if (params->flags & TLS_CONN_DISABLE_TIME_CHECKS) { conn->disable_time_checks = 1; gnutls_certificate_set_verify_flags( conn->xcred, GNUTLS_VERIFY_DISABLE_TIME_CHECKS); } } if (params->client_cert && params->private_key) { #if GNUTLS_VERSION_NUMBER >= 0x03010b ret = gnutls_certificate_set_x509_key_file2( conn->xcred, params->client_cert, params->private_key, GNUTLS_X509_FMT_DER, params->private_key_passwd, 0); #else /* private_key_passwd not (easily) supported here */ ret = gnutls_certificate_set_x509_key_file( conn->xcred, params->client_cert, params->private_key, GNUTLS_X509_FMT_DER); #endif if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read client cert/key " "in DER format: %s", gnutls_strerror(ret)); #if GNUTLS_VERSION_NUMBER >= 0x03010b ret = gnutls_certificate_set_x509_key_file2( conn->xcred, params->client_cert, params->private_key, GNUTLS_X509_FMT_PEM, params->private_key_passwd, 0); #else ret = gnutls_certificate_set_x509_key_file( conn->xcred, params->client_cert, params->private_key, GNUTLS_X509_FMT_PEM); #endif if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read client " "cert/key in PEM format: %s", gnutls_strerror(ret)); return ret; } } } else if (params->private_key) { int pkcs12_ok = 0; #ifdef PKCS12_FUNCS /* Try to load in PKCS#12 format */ ret = gnutls_certificate_set_x509_simple_pkcs12_file( conn->xcred, params->private_key, GNUTLS_X509_FMT_DER, params->private_key_passwd); if (ret != 0) { wpa_printf(MSG_DEBUG, "Failed to load private_key in " "PKCS#12 format: %s", gnutls_strerror(ret)); return -1; } else pkcs12_ok = 1; #endif /* PKCS12_FUNCS */ if (!pkcs12_ok) { wpa_printf(MSG_DEBUG, "GnuTLS: PKCS#12 support not " "included"); return -1; } } else if (params->client_cert_blob && params->private_key_blob) { gnutls_datum_t cert, key; cert.data = (unsigned char *) params->client_cert_blob; cert.size = params->client_cert_blob_len; key.data = (unsigned char *) params->private_key_blob; key.size = params->private_key_blob_len; #if GNUTLS_VERSION_NUMBER >= 0x03010b ret = gnutls_certificate_set_x509_key_mem2( conn->xcred, &cert, &key, GNUTLS_X509_FMT_DER, params->private_key_passwd, 0); #else /* private_key_passwd not (easily) supported here */ ret = gnutls_certificate_set_x509_key_mem( conn->xcred, &cert, &key, GNUTLS_X509_FMT_DER); #endif if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read client cert/key " "in DER format: %s", gnutls_strerror(ret)); #if GNUTLS_VERSION_NUMBER >= 0x03010b ret = gnutls_certificate_set_x509_key_mem2( conn->xcred, &cert, &key, GNUTLS_X509_FMT_PEM, params->private_key_passwd, 0); #else /* private_key_passwd not (easily) supported here */ ret = gnutls_certificate_set_x509_key_mem( conn->xcred, &cert, &key, GNUTLS_X509_FMT_PEM); #endif if (ret < 0) { wpa_printf(MSG_DEBUG, "Failed to read client " "cert/key in PEM format: %s", gnutls_strerror(ret)); return ret; } } } else if (params->private_key_blob) { #ifdef PKCS12_FUNCS gnutls_datum_t key; key.data = (unsigned char *) params->private_key_blob; key.size = params->private_key_blob_len; /* Try to load in PKCS#12 format */ ret = gnutls_certificate_set_x509_simple_pkcs12_mem( conn->xcred, &key, GNUTLS_X509_FMT_DER, params->private_key_passwd); if (ret != 0) { wpa_printf(MSG_DEBUG, "Failed to load private_key in " "PKCS#12 format: %s", gnutls_strerror(ret)); return -1; } #else /* PKCS12_FUNCS */ wpa_printf(MSG_DEBUG, "GnuTLS: PKCS#12 support not included"); return -1; #endif /* PKCS12_FUNCS */ } #if GNUTLS_VERSION_NUMBER >= 0x030103 if (params->flags & (TLS_CONN_REQUEST_OCSP | TLS_CONN_REQUIRE_OCSP)) { ret = gnutls_ocsp_status_request_enable_client(conn->session, NULL, 0, NULL); if (ret != GNUTLS_E_SUCCESS) { wpa_printf(MSG_INFO, "GnuTLS: Failed to enable OCSP client"); return -1; } } #else /* 3.1.3 */ if (params->flags & TLS_CONN_REQUIRE_OCSP) { wpa_printf(MSG_INFO, "GnuTLS: OCSP not supported by this version of GnuTLS"); return -1; } #endif /* 3.1.3 */ conn->params_set = 1; ret = gnutls_credentials_set(conn->session, GNUTLS_CRD_CERTIFICATE, conn->xcred); if (ret < 0) { wpa_printf(MSG_INFO, "Failed to configure credentials: %s", gnutls_strerror(ret)); } return ret; }
void doit(void) { int ret; gnutls_certificate_credentials_t xcred; gnutls_certificate_credentials_t clicred; const char *certfile = "does-not-exist.pem"; gnutls_datum_t tcert; FILE *fp; if (gnutls_fips140_mode_enabled()) { exit(77); } global_init(); assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); /* this will fail */ ret = gnutls_certificate_set_x509_simple_pkcs12_file(xcred, certfile, GNUTLS_X509_FMT_PEM, "1234"); if (ret != GNUTLS_E_FILE_ERROR) fail("gnutls_certificate_set_x509_simple_pkcs12_file failed: %s\n", gnutls_strerror(ret)); gnutls_certificate_free_credentials(xcred); assert(gnutls_certificate_allocate_credentials(&clicred) >= 0); assert(gnutls_certificate_allocate_credentials(&xcred) >= 0); ret = gnutls_certificate_set_x509_trust_mem(clicred, &ca3_cert, GNUTLS_X509_FMT_PEM); if (ret < 0) fail("set_x509_trust_file failed: %s\n", gnutls_strerror(ret)); certfile = get_tmpname(NULL); fp = fopen(certfile, "w"); if (fp == NULL) fail("error in fopen\n"); assert(fwrite(server_ca3_pkcs12_pem, 1, strlen((char*)server_ca3_pkcs12_pem), fp)>0); fclose(fp); ret = gnutls_certificate_set_x509_simple_pkcs12_file(xcred, certfile, GNUTLS_X509_FMT_PEM, "1234"); if (ret < 0) fail("gnutls_certificate_set_x509_simple_pkcs12_file failed: %s\n", gnutls_strerror(ret)); /* verify whether the stored certificate match the ones we have */ ret = gnutls_certificate_get_crt_raw(xcred, 0, 0, &tcert); if (ret < 0) { fail("error in %d: %s\n", __LINE__, gnutls_strerror(ret)); exit(1); } compare(&tcert, server_localhost_ca3_cert_pem); remove(certfile); test_cli_serv(xcred, clicred, "NORMAL", "localhost", NULL, NULL, NULL); /* the DNS name of the first cert */ gnutls_certificate_free_credentials(xcred); gnutls_certificate_free_credentials(clicred); gnutls_global_deinit(); }