示例#1
0
GNUTLS_SKIP_GLOBAL_INIT

void doit(void)
{

	int ret;
	gnutls_x509_crt_t crt;

	ret = gnutls_x509_crt_init(&crt);
	if (ret >= 0) {
		if (!weak_symbol_works)
			exit(77);

		fail("Library is already initialized\n");
	}

	gnutls_global_init();

	ret = gnutls_x509_crt_init(&crt);
	if (ret < 0) {
		fail("Could not init certificate!\n");
	}
	gnutls_x509_crt_deinit(crt);

	gnutls_global_deinit();
}
示例#2
0
GNUTLS_SKIP_GLOBAL_INIT

void doit(void)
{
#ifdef _WIN32
	/* weak symbols don't seem to work in windows */
	exit(77);
#else
	int ret;
	gnutls_x509_crt_t crt;

	ret = gnutls_x509_crt_init(&crt);
	if (ret >= 0) {
		fail("Library is already initialized\n");
	}

	gnutls_global_init();

	ret = gnutls_x509_crt_init(&crt);
	if (ret < 0) {
		fail("Could not init certificate!\n");
	}
	gnutls_x509_crt_deinit(crt);

	gnutls_global_deinit();
#endif
}
示例#3
0
/**
 * Enables SSL for the given connection.
 *
 * @param connection The connection to enable SSL for.
 *
 * @return IDEVICE_E_SUCCESS on success, IDEVICE_E_INVALID_ARG when connection
 *     is NULL or connection->ssl_data is non-NULL, or IDEVICE_E_SSL_ERROR when
 *     SSL initialization, setup, or handshake fails.
 */
idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection)
{
	if (!connection || connection->ssl_data)
		return IDEVICE_E_INVALID_ARG;

	idevice_error_t ret = IDEVICE_E_SSL_ERROR;
	uint32_t return_me = 0;

	ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));

	/* Set up GnuTLS... */
	debug_info("enabling SSL mode");
	errno = 0;
	gnutls_global_init();
	gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
	gnutls_certificate_client_set_retrieve_function (ssl_data_loc->certificate, internal_cert_callback);
	gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
	gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
	gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
	gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);

	gnutls_x509_crt_init(&ssl_data_loc->root_cert);
	gnutls_x509_crt_init(&ssl_data_loc->host_cert);
	gnutls_x509_privkey_init(&ssl_data_loc->root_privkey);
	gnutls_x509_privkey_init(&ssl_data_loc->host_privkey);

	userpref_error_t uerr = userpref_get_keys_and_certs(ssl_data_loc->root_privkey, ssl_data_loc->root_cert, ssl_data_loc->host_privkey, ssl_data_loc->host_cert);
	if (uerr != USERPREF_E_SUCCESS) {
		debug_info("Error %d when loading keys and certificates! %d", uerr);
	}

	debug_info("GnuTLS step 1...");
	gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection);
	debug_info("GnuTLS step 2...");
	gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write);
	debug_info("GnuTLS step 3...");
	gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read);
	debug_info("GnuTLS step 4 -- now handshaking...");
	if (errno)
		debug_info("WARN: errno says %s before handshake!", strerror(errno));
	return_me = gnutls_handshake(ssl_data_loc->session);
	debug_info("GnuTLS handshake done...");

	if (return_me != GNUTLS_E_SUCCESS) {
		internal_ssl_cleanup(ssl_data_loc);
		free(ssl_data_loc);
		debug_info("GnuTLS reported something wrong.");
		gnutls_perror(return_me);
		debug_info("oh.. errno says %s", strerror(errno));
	} else {
		connection->ssl_data = ssl_data_loc;
		ret = IDEVICE_E_SUCCESS;
		debug_info("SSL mode enabled");
	}
	return ret;
}
示例#4
0
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
	gnutls_x509_crt_t cert;
	gnutls_digest_algorithm_t algo;
	unsigned int cert_list_size;
	const gnutls_datum_t *cert_list;
	uint8_t digest[RB_SSL_CERTFP_LEN * 2];
	size_t digest_size;
	int len;

	if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
		return 0;

	if (gnutls_x509_crt_init(&cert) < 0)
		return 0;

	cert_list_size = 0;
	cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
	if (cert_list == NULL)
	{
		gnutls_x509_crt_deinit(cert);
		return 0;
	}

	if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
	{
		gnutls_x509_crt_deinit(cert);
		return 0;
	}

	switch(method)
	{
	case RB_SSL_CERTFP_METH_SHA1:
		algo = GNUTLS_DIG_SHA1;
		len = RB_SSL_CERTFP_LEN_SHA1;
		break;
	case RB_SSL_CERTFP_METH_SHA256:
		algo = GNUTLS_DIG_SHA256;
		len = RB_SSL_CERTFP_LEN_SHA256;
		break;
	case RB_SSL_CERTFP_METH_SHA512:
		algo = GNUTLS_DIG_SHA512;
		len = RB_SSL_CERTFP_LEN_SHA512;
		break;
	default:
		return 0;
	}

	if (gnutls_x509_crt_get_fingerprint(cert, algo, digest, &digest_size) < 0)
	{
		gnutls_x509_crt_deinit(cert);
		return 0;
	}

	memcpy(certfp, digest, len);

	gnutls_x509_crt_deinit(cert);
	return len;
}
示例#5
0
/* Returns a copy certificate of certificate SRC. */
static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
{
    int ret;
    size_t size;
    gnutls_datum tmp;
    gnutls_x509_crt dest;
    
    if (gnutls_x509_crt_init(&dest) != 0) {
        return NULL;
    }

    if (gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, NULL, &size) 
        != GNUTLS_E_SHORT_MEMORY_BUFFER) {
        gnutls_x509_crt_deinit(dest);
        return NULL;
    }

    tmp.data = ne_malloc(size);
    ret = gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, tmp.data, &size);
    if (ret == 0) {
        tmp.size = size;
        ret = gnutls_x509_crt_import(dest, &tmp, GNUTLS_X509_FMT_DER);
    }

    if (ret) {
        gnutls_x509_crt_deinit(dest);
        dest = NULL;
    }

    ne_free(tmp.data);
    return dest;
}
示例#6
0
ne_ssl_certificate *ne_ssl_cert_import(const char *data)
{
    int ret;
    size_t len;
    unsigned char *der;
    gnutls_datum buffer = { NULL, 0 };
    gnutls_x509_crt x5;

    if (gnutls_x509_crt_init(&x5) != 0)
        return NULL;

    /* decode the base64 to get the raw DER representation */
    len = ne_unbase64(data, &der);
    if (len == 0) return NULL;

    buffer.data = der;
    buffer.size = len;

    ret = gnutls_x509_crt_import(x5, &buffer, GNUTLS_X509_FMT_DER);
    ne_free(der);

    if (ret < 0) {
        gnutls_x509_crt_deinit(x5);
        return NULL;
    }

    return populate_cert(ne_calloc(sizeof(struct ne_ssl_certificate_s)), x5);
}
示例#7
0
文件: ssl-gnutls.c 项目: dylex/pidgin
/** Transforms a gnutls_datum containing an X.509 certificate into a Certificate instance under the x509_gnutls scheme
 *
 * @param dt   Datum to transform
 * @param mode GnuTLS certificate format specifier (GNUTLS_X509_FMT_PEM for
 *             reading from files, and GNUTLS_X509_FMT_DER for converting
 *             "over the wire" certs for SSL)
 *
 * @return A newly allocated Certificate structure of the x509_gnutls scheme
 */
static PurpleCertificate *
x509_import_from_datum(const gnutls_datum_t dt, gnutls_x509_crt_fmt_t mode)
{
	/* Internal certificate data structure */
	x509_crtdata_t *certdat;
	/* New certificate to return */
	PurpleCertificate * crt;

	/* Allocate and prepare the internal certificate data */
	certdat = g_new0(x509_crtdata_t, 1);
	if (gnutls_x509_crt_init(&(certdat->crt)) != 0) {
		g_free(certdat);
		return NULL;
	}
	certdat->refcount = 0;

	/* Perform the actual certificate parse */
	/* Yes, certdat->crt should be passed as-is */
	if (gnutls_x509_crt_import(certdat->crt, &dt, mode) != 0) {
		g_free(certdat);
		return NULL;
	}

	/* Allocate the certificate and load it with data */
	crt = g_new0(PurpleCertificate, 1);
	crt->scheme = &x509_gnutls;
	crt->data = x509_crtdata_addref(certdat);

	return crt;
}
示例#8
0
static void print_x509_info_compact(gnutls_session_t session)
{
	gnutls_x509_crt_t crt;
	const gnutls_datum_t *cert_list;
	unsigned int cert_list_size = 0;
	int ret;
	gnutls_datum_t cinfo;

	cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
	if (cert_list_size == 0) {
		fprintf(stderr, "No certificates found!\n");
		return;
	}

	gnutls_x509_crt_init(&crt);
	ret =
	    gnutls_x509_crt_import(crt, &cert_list[0],
				   GNUTLS_X509_FMT_DER);
	if (ret < 0) {
		fprintf(stderr, "Decoding error: %s\n",
			gnutls_strerror(ret));
		return;
	}

	ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo);
	if (ret == 0) {
		printf("- X.509 cert: %s\n", cinfo.data);
		gnutls_free(cinfo.data);
	}

	gnutls_x509_crt_deinit(crt);
}
示例#9
0
/*-
  * gnutls_x509_extract_certificate_serial - This function returns the certificate's serial number
  * @cert: is an X.509 DER encoded certificate
  * @result: The place where the serial number will be copied
  * @result_size: Holds the size of the result field.
  *
  * This function will return the X.509 certificate's serial number. 
  * This is obtained by the X509 Certificate serialNumber
  * field. Serial is not always a 32 or 64bit number. Some CAs use
  * large serial numbers, thus it may be wise to handle it as something
  * opaque. 
  * Returns a negative value in case of an error.
  *
  -*/
int
gnutls_x509_extract_certificate_serial (const gnutls_datum_t * cert,
					char *result, int *result_size)
{
  gnutls_x509_crt_t xcert;
  size_t size = *result_size;
  int ret;

  ret = gnutls_x509_crt_init (&xcert);
  if (ret < 0)
    return ret;

  ret = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
  if (ret < 0)
    {
      gnutls_x509_crt_deinit (xcert);
      return ret;
    }

  ret = gnutls_x509_crt_get_serial (xcert, result, &size);
  *result_size = size;

  gnutls_x509_crt_deinit (xcert);

  return ret;
}
示例#10
0
static gnutls_x509_crt_t
load_cert (void)
{
  gnutls_x509_crt_t crt;
  int ret;
  gnutls_datum_t dat;
  size_t size;

  if (!HAVE_OPT(LOAD_CERT))
    error (EXIT_FAILURE, 0, "missing --load-cert");

  ret = gnutls_x509_crt_init (&crt);
  if (ret < 0)
    error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));

  dat.data = (void*)read_binary_file (OPT_ARG(LOAD_CERT), &size);
  dat.size = size;

  if (!dat.data)
    error (EXIT_FAILURE, errno, "reading --load-cert: %s", OPT_ARG(LOAD_CERT));

  ret = gnutls_x509_crt_import (crt, &dat, encoding);
  free (dat.data);
  if (ret < 0)
    error (EXIT_FAILURE, 0, "importing --load-cert: %s: %s",
           OPT_ARG(LOAD_CERT), gnutls_strerror (ret));

  return crt;
}
示例#11
0
/* Return the certificate chain sent by the peer, or NULL on error. */
static ne_ssl_certificate *make_peers_chain(gnutls_session sock)
{
    ne_ssl_certificate *current = NULL, *top = NULL;
    const gnutls_datum *certs;
    unsigned int n, count;

    certs = gnutls_certificate_get_peers(sock, &count);
    if (!certs) {
        return NULL;
    }
    
    for (n = 0; n < count; n++) {
        ne_ssl_certificate *cert;
        gnutls_x509_crt x5;

        if (gnutls_x509_crt_init(&x5) ||
            gnutls_x509_crt_import(x5, &certs[n], GNUTLS_X509_FMT_DER)) {
            ne_ssl_cert_free(top);
            return NULL;
        }

        cert = populate_cert(ne_malloc(sizeof *cert), x5);
        
        if (top == NULL) {
            current = top = cert;
        } else {
            current->issuer = cert;
            current = cert;
        }
    }
    
    return top;
}
示例#12
0
static int etpan_certificate_check(const unsigned char *certificate, int len, void *data)
{
#ifdef USE_GNUTLS
	struct connect_param *param = (struct connect_param *)data;
	gnutls_x509_crt_t cert = NULL;
	gnutls_datum_t tmp;
	
	if (certificate == NULL || len < 0) {
		g_warning("no cert presented.\n");
		return 0;
	}
	
	tmp.data = malloc(len);
	memcpy(tmp.data, certificate, len);
	tmp.size = len;
	gnutls_x509_crt_init(&cert);
	if (gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER) < 0) {
		g_warning("nntp: can't get cert\n");
		return 0;
	} else if (ssl_certificate_check(cert, (guint)-1,
		(gchar *)param->server, (gushort)param->port) == TRUE) {
		gnutls_x509_crt_deinit(cert);
		return 0;
	} else {
		gnutls_x509_crt_deinit(cert);
		return -1;
	}
#endif
	return 0;
}
示例#13
0
int crypto_push_cert(crypto_ctx *ctx,
                     const unsigned char *data,
                     size_t len,
                     crypto_error **error)
{
    gnutls_x509_crt_t cert;
    gnutls_datum dt;
    int err;

    if (!ctx || !data || (len <= 0)) {
        crypto_error_set(error, 1, 0, "invalid crypto context or data");
        return 1;
    }

    if (ctx->num >= CERT_STACK_DEPTH) {
        crypto_error_set(error, 1, 0, "too many certificates in the chain.");
        return 1;
    }

    gnutls_x509_crt_init (&cert);

    dt.data = (unsigned char *) data;
    dt.size = len;
    err = gnutls_x509_crt_import (cert, &dt, GNUTLS_X509_FMT_DER);
    if (err != GNUTLS_E_SUCCESS) {
        gnutls_x509_crt_deinit (cert);
        crypto_error_set(error, 1, 0, "failed to decode certificate");
        return 1;
    }

    ctx->stack[ctx->num] = cert;
    ctx->num++;
    return 0;
}
示例#14
0
static gnutls_x509_crt_t			/* O - Certificate */
http_gnutls_create_credential(
    http_credential_t *credential)		/* I - Credential */
{
  int			result;			/* Result from GNU TLS */
  gnutls_x509_crt_t	cert;			/* Certificate */
  gnutls_datum_t	datum;			/* Data record */


  DEBUG_printf(("3http_gnutls_create_credential(credential=%p)", credential));

  if (!credential)
    return (NULL);

  if ((result = gnutls_x509_crt_init(&cert)) < 0)
  {
    DEBUG_printf(("4http_gnutls_create_credential: init error: %s", gnutls_strerror(result)));
    return (NULL);
  }

  datum.data = credential->data;
  datum.size = credential->datalen;

  if ((result = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) < 0)
  {
    DEBUG_printf(("4http_gnutls_create_credential: import error: %s", gnutls_strerror(result)));

    gnutls_x509_crt_deinit(cert);
    return (NULL);
  }

  return (cert);
}
示例#15
0
/* Reads a DER encoded certificate list from memory and stores it to a
 * gnutls_cert structure. Returns the number of certificates parsed.
 */
static int
parse_der_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts,
		    const void *input_cert, int input_cert_size)
{
  gnutls_datum_t tmp;
  gnutls_x509_crt_t cert;
  int ret;

  ret = gnutls_x509_crt_init (&cert);
  if (ret < 0)
    {
      gnutls_assert ();
      return ret;
    }

  tmp.data = (opaque *) input_cert;
  tmp.size = input_cert_size;

  ret = gnutls_x509_crt_import (cert, &tmp, GNUTLS_X509_FMT_DER);
  if (ret < 0)
    {
      gnutls_assert ();
      gnutls_x509_crt_deinit (cert);
      return ret;
    }

  ret = parse_crt_mem (cert_list, ncerts, cert);
  gnutls_x509_crt_deinit (cert);

  return ret;
}
示例#16
0
/* This function will convert a der certificate to a format
 * (structure) that gnutls can understand and use. Actually the
 * important thing on this function is that it extracts the 
 * certificate's (public key) parameters.
 *
 * The noext flag is used to complete the handshake even if the
 * extensions found in the certificate are unsupported and critical. 
 * The critical extensions will be catched by the verification functions.
 */
int
_gnutls_x509_raw_cert_to_gcert (gnutls_cert * gcert,
				const gnutls_datum_t * derCert,
				int flags /* OR of ConvFlags */ )
{
  int ret;
  gnutls_x509_crt_t cert;

  ret = gnutls_x509_crt_init (&cert);
  if (ret < 0)
    {
      gnutls_assert ();
      return ret;
    }

  ret = gnutls_x509_crt_import (cert, derCert, GNUTLS_X509_FMT_DER);
  if (ret < 0)
    {
      gnutls_assert ();
      gnutls_x509_crt_deinit (cert);
      return ret;
    }

  ret = _gnutls_x509_crt_to_gcert (gcert, cert, flags);
  gnutls_x509_crt_deinit (cert);

  return ret;
}
示例#17
0
int
verify_certificate (gnutls_session session, char* CN)
{
	unsigned int cert_list_size;
	const gnutls_datum *cert_list;
	int ret;
	char dn[MAX_DN_LEN];
	size_t dn_len = MAX_DN_LEN;
	gnutls_x509_crt cert;

	ret = gnutls_certificate_verify_peers(session);

	if (ret < 0)
	{
		quorum_debug(LOG_DEBUG,"gnutls_certificate_verify_peers2 returns error");
		return -1;
	}
	if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
		quorum_debug(LOG_DEBUG,"The certificate is not a x.509 cert");
    		return -1;
	}
	if (gnutls_x509_crt_init (&cert) < 0)
	{
		quorum_debug(LOG_DEBUG,"error in gnutls_x509_crt_init");
		return -1;
	}

	cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
	if (cert_list == NULL)
	{
		quorum_debug(LOG_DEBUG,"No certificate was found!");
		return -1;
	}

	if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
	{
		quorum_debug(LOG_DEBUG,"error parsing certificate");
		return -1;
	}

	if (gnutls_x509_crt_get_expiration_time (cert) < time (0))
	{
		quorum_debug(LOG_DEBUG,"The certificate has expired");
		return -1;
	}

	if (gnutls_x509_crt_get_activation_time (cert) > time (0))
	{
		quorum_debug(LOG_DEBUG,"The certificate is not yet activated");
		return -1;
	}
	memset(dn, 0, MAX_DN_LEN);
	gnutls_x509_crt_get_dn(cert, dn, &dn_len);
	strncpy(CN, strstr(dn, "CN=")+3, MAX_DN_LEN);
	CN[MAX_DN_LEN-1]= '\0';
	quorum_debug(LOG_DEBUG,"The certificate cn:%s",CN);
	gnutls_x509_crt_deinit (cert);

	return 0;
}
示例#18
0
/**
 * gnutls_pcert_import_x509_raw:
 * @pcert: The pcert structure
 * @cert: The raw certificate to be imported
 * @format: The format of the certificate
 * @flags: zero for now
 *
 * This convenience function will import the given certificate to a
 * #gnutls_pcert_st structure. The structure must be deinitialized
 * afterwards using gnutls_pcert_deinit();
 *
 * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
 *   negative error value.
 **/
int gnutls_pcert_import_x509_raw (gnutls_pcert_st *pcert,
	const gnutls_datum_t* cert, 
	gnutls_x509_crt_fmt_t format, unsigned int flags)
{
int ret;
gnutls_x509_crt_t crt;

  memset(pcert, 0, sizeof(*pcert));

  ret = gnutls_x509_crt_init(&crt);
  if (ret < 0)
    return gnutls_assert_val(ret);

  ret = gnutls_x509_crt_import(crt, cert, format);
  if (ret < 0)
    {
      ret = gnutls_assert_val(ret);
      goto cleanup;
    }

  ret = gnutls_pcert_import_x509(pcert, crt, flags);
  if (ret < 0)
    {
      ret = gnutls_assert_val(ret);
      goto cleanup;
    }

  ret = 0;

cleanup:
  gnutls_x509_crt_deinit(crt);

  return ret;
}
示例#19
0
/*-
  * gnutls_x509_extract_certificate_subject_alt_name - This function returns the certificate's alternative name, if any
  * @cert: should contain an X.509 DER encoded certificate
  * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
  * @ret: is the place where the alternative name will be copied to
  * @ret_size: holds the size of ret.
  *
  * This function will return the alternative names, contained in the
  * given certificate.
  * 
  * This is specified in X509v3 Certificate Extensions. 
  * GNUTLS will return the Alternative name, or a negative
  * error code.
  * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not enough to hold the alternative 
  * name, or the type of alternative name if everything was ok. The type is 
  * one of the enumerated GNUTLS_X509_SUBJECT_ALT_NAME.
  *
  * If the certificate does not have an Alternative name with the specified 
  * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
  *
  -*/
int
gnutls_x509_extract_certificate_subject_alt_name (const gnutls_datum_t *
						  cert, int seq,
						  char *ret, int *ret_size)
{
  gnutls_x509_crt_t xcert;
  int result;
  size_t size = *ret_size;

  result = gnutls_x509_crt_init (&xcert);
  if (result < 0)
    return result;

  result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
  if (result < 0)
    {
      gnutls_x509_crt_deinit (xcert);
      return result;
    }

  result =
    gnutls_x509_crt_get_subject_alt_name (xcert, seq, ret, &size, NULL);
  *ret_size = size;

  gnutls_x509_crt_deinit (xcert);

  return result;
}
示例#20
0
文件: 34783_0.c 项目: B-Rich/osf_db
int
main (void)
{
  gnutls_x509_crt_t crt;
  gnutls_datum_t data = { "foo", 3 };
  gnutls_datum_t sig = { "bar", 3 };
  int ret;

  gnutls_global_init ();

  ret = gnutls_x509_crt_init (&crt);
  if (ret < 0)
    return 1;

  ret = gnutls_x509_crt_import (crt, &dsa_cert_dat, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    return 1;

  ret = gnutls_x509_crt_verify_data (crt, 0, &data, &sig);
  if (ret < 0)
    return 1;

  printf ("success!\n");

  gnutls_x509_crt_deinit (crt);
  gnutls_global_deinit ();

  return 0;
}
示例#21
0
/*-
  * gnutls_x509_extract_certificate_dn_string - This function returns the certificate's distinguished name
  * @cert: should contain an X.509 DER encoded certificate
  * @buf: a pointer to a structure to hold the peer's name
  * @sizeof_buf: holds the size of 'buf'
  * @issuer: if non zero, then extract the name of the issuer, instead of the holder
  *
  * This function will copy the name of the certificate holder in the provided buffer. The name 
  * will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253.
  *
  * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough,
  * and 0 on success.
  *
  -*/
int
gnutls_x509_extract_certificate_dn_string (char *buf,
					   unsigned int sizeof_buf,
					   const gnutls_datum_t * cert,
					   int issuer)
{
  gnutls_x509_crt_t xcert;
  int result;

  result = gnutls_x509_crt_init (&xcert);
  if (result < 0)
    return result;

  result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
  if (result < 0)
    {
      gnutls_x509_crt_deinit (xcert);
      return result;
    }

  if (!issuer)
    result = gnutls_x509_crt_get_dn (xcert, buf, &sizeof_buf);
  else
    result = gnutls_x509_crt_get_issuer_dn (xcert, buf, &sizeof_buf);

  gnutls_x509_crt_deinit (xcert);

  return result;
}
/* Loads the CA's certificate
 */
gnutls_x509_crt_t
load_ca_cert (common_info_st * info)
{
  gnutls_x509_crt_t crt;
  int ret;
  gnutls_datum_t dat;
  size_t size;

  if (info->ca == NULL)
    error (EXIT_FAILURE, 0, "missing --load-ca-certificate");

  ret = gnutls_x509_crt_init (&crt);
  if (ret < 0)
    error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));

  dat.data = read_binary_file (info->ca, &size);
  dat.size = size;

  if (!dat.data)
    error (EXIT_FAILURE, errno, "reading --load-ca-certificate: %s",
           info->ca);

  ret = gnutls_x509_crt_import (crt, &dat, info->incert_format);
  free (dat.data);
  if (ret < 0)
    error (EXIT_FAILURE, 0, "importing --load-ca-certificate: %s: %s",
           info->ca, gnutls_strerror (ret));

  return crt;
}
static void build_gnutls_cert_list(HevImpathyTLSVerifier *self)
{
	HevImpathyTLSVerifierPrivate *priv =
		HEV_IMPATHY_TLS_VERIFIER_GET_PRIVATE(self);
	guint num_certs = 0;
	guint idx = 0;
	GPtrArray *certificate_data = NULL;

	g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__);

	g_object_get(priv->certificate, "cert-data",
				&certificate_data, NULL);
	num_certs = certificate_data->len;

	priv->cert_chain = g_ptr_array_new_with_free_func(
				(GDestroyNotify)gnutls_x509_crt_deinit);
	for(idx=0; idx<num_certs; idx++)
	{
		gnutls_x509_crt_t cert = 0;
		GArray *one_cert = NULL;
		gnutls_datum_t datum = { NULL, 0 };

		one_cert = g_ptr_array_index(certificate_data, idx);
		datum.data = (guchar *)one_cert->data;
		datum.size = one_cert->len;

		gnutls_x509_crt_init(&cert);
		gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER);

		g_ptr_array_add(priv->cert_chain, cert);
	}
}
示例#24
0
/* loads a the corresponding to the private key public key either from 
 * a public key object or from a certificate.
 */
static int load_pubkey_obj(gnutls_pkcs11_privkey_t pkey, gnutls_pubkey_t pub)
{
	int ret, iret;
	gnutls_x509_crt_t crt;

	ret = gnutls_pubkey_import_url(pub, pkey->url, pkey->flags);
	if (ret >= 0) {
		return ret;
	}
	iret = ret;

	/* else try certificate */
	ret = gnutls_x509_crt_init(&crt);
	if (ret < 0) {
		gnutls_assert();
		return ret;
	}

	gnutls_x509_crt_set_pin_function(crt, pkey->pin.cb, pkey->pin.data);

	ret = gnutls_x509_crt_import_url(crt, pkey->url, pkey->flags);
	if (ret < 0) {
		ret = iret;
		goto cleanup;
	}

	ret = gnutls_pubkey_import_x509(pub, crt, 0);

 cleanup:
	gnutls_x509_crt_deinit(crt);
	return ret;
}
示例#25
0
文件: dn2.c 项目: Chronic-Dev/gnutls
void
doit (void)
{
  gnutls_datum_t der = { pem, sizeof (pem) };
  gnutls_x509_crt_t cert;
  gnutls_datum_t out;
  int ret;

  ret = gnutls_global_init ();
  if (ret < 0)
    fail ("init %d\n", ret);

  ret = gnutls_x509_crt_init (&cert);
  if (ret < 0)
    fail ("crt_init %d\n", ret);

  ret = gnutls_x509_crt_import (cert, &der, GNUTLS_X509_FMT_PEM);
  if (ret < 0)
    fail ("crt_import %d\n", ret);

  ret = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &out);
  if (ret < 0)
    fail ("x509_crt_print %d\n", ret);

  if (out.size != strlen (info) || strcmp (out.data, info) != 0)
    fail ("comparison fail (%d/%d)\nexpect: %s\n   got: %.*s\n",
	  out.size, (int) strlen (info), info, out.size, out.data);

  gnutls_x509_crt_deinit (cert);
  gnutls_global_deinit ();
  gnutls_free (out.data);

  if (debug)
    success ("done\n");
}
示例#26
0
文件: tlscert-gnu.c 项目: toddr/exim
int
tls_import_cert(const uschar * buf, void ** cert)
{
    void * reset_point = store_get(0);
    gnutls_datum_t datum;
    gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
    int fail = 0;

    if (crt)
        gnutls_x509_crt_deinit(crt);
    else
        gnutls_global_init();

    gnutls_x509_crt_init(&crt);

    datum.data = string_unprinting(US buf);
    datum.size = Ustrlen(datum.data);
    if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
    {
        log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
                  gnutls_strerror(fail));
        fail = 1;
    }
    else
        *cert = (void *)crt;

    store_reset(reset_point);
    return fail;
}
示例#27
0
LIBETPAN_EXPORT
int mailstream_ssl_set_client_certificate_data(struct mailstream_ssl_context * ssl_context,
    unsigned char *x509_der, size_t len)
{
#ifdef USE_SSL
#ifndef USE_GNUTLS
  X509 *x509 = NULL;
  if (x509_der != NULL && len > 0)
    x509 = d2i_X509(NULL, (const unsigned char **)&x509_der, len);
  ssl_context->client_x509 = (X509 *)x509;
  return 0;
#else
  gnutls_datum tmp;
  int r;
  ssl_context->client_x509 = NULL;
  if (len == 0)
    return 0;
  gnutls_x509_crt_init(&(ssl_context->client_x509));
  tmp.data = x509_der;
  tmp.size = len;
  if ((r = gnutls_x509_crt_import(ssl_context->client_x509, &tmp, GNUTLS_X509_FMT_DER)) < 0) {
    gnutls_x509_crt_deinit(ssl_context->client_x509); /* ici */
    ssl_context->client_x509 = NULL;
    return -1;
  }
  return 0;
#endif
#endif
  return -1;
}
示例#28
0
static gnutls_x509_crt_t
load_cert (const char *cert_file)
{
    gnutls_x509_crt_t crt;
    int ret;
    gnutls_datum_t data;
    size_t size;

    ret = gnutls_x509_crt_init (&crt);
    if (ret < 0)
        exit (1);

    data.data = (void *) read_binary_file (cert_file, &size);
    data.size = size;

    if (!data.data)
      {
          fprintf (stderr, "Cannot open file: %s\n", cert_file);
          exit (1);
      }

    ret = gnutls_x509_crt_import (crt, &data, GNUTLS_X509_FMT_PEM);
    free (data.data);
    if (ret < 0)
      {
          fprintf (stderr, "Cannot import certificate in %s: %s\n",
                   cert_file, gnutls_strerror (ret));
          exit (1);
      }

    return crt;
}
示例#29
0
static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
        const gnutls_datum_t *pcert;
        unsigned listsize;
        gnutls_x509_crt_t cert;
        int r;

        assert(session);
        assert(client_cert);

        pcert = gnutls_certificate_get_peers(session, &listsize);
        if (!pcert || !listsize) {
                log_error("Failed to retrieve certificate chain");
                return -EINVAL;
        }

        r = gnutls_x509_crt_init(&cert);
        if (r < 0) {
                log_error("Failed to initialize client certificate");
                return r;
        }

        /* Note that by passing values between 0 and listsize here, you
           can get access to the CA's certs */
        r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
        if (r < 0) {
                log_error("Failed to import client certificate");
                gnutls_x509_crt_deinit(cert);
                return r;
        }

        *client_cert = cert;
        return 0;
}
示例#30
0
/*-
  * gnutls_x509_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name
  * @cert: should contain an X.509 DER encoded certificate
  * @ret: a pointer to a structure to hold the issuer's name
  *
  * This function will return the name of the issuer stated in the certificate. The name is a gnutls_x509_dn structure and 
  * is a obtained by the peer's certificate. If the certificate send by the
  * peer is invalid, or in any other failure this function returns error.
  * Returns a negative error code in case of an error.
  *
  -*/
int
gnutls_x509_extract_certificate_issuer_dn (const gnutls_datum_t * cert,
					   gnutls_x509_dn * ret)
{
  gnutls_x509_crt_t xcert;
  int result;
  size_t len;

  result = gnutls_x509_crt_init (&xcert);
  if (result < 0)
    return result;

  result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
  if (result < 0)
    {
      gnutls_x509_crt_deinit (xcert);
      return result;
    }

  len = sizeof (ret->country);
  gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
					GNUTLS_OID_X520_COUNTRY_NAME, 0,
					0, ret->country, &len);

  len = sizeof (ret->organization);
  gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
					GNUTLS_OID_X520_ORGANIZATION_NAME,
					0, 0, ret->organization, &len);

  len = sizeof (ret->organizational_unit_name);
  gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
					GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
					0, 0,
					ret->organizational_unit_name, &len);

  len = sizeof (ret->common_name);
  gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
					GNUTLS_OID_X520_COMMON_NAME, 0, 0,
					ret->common_name, &len);

  len = sizeof (ret->locality_name);
  gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
					GNUTLS_OID_X520_LOCALITY_NAME, 0,
					0, ret->locality_name, &len);

  len = sizeof (ret->state_or_province_name);
  gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
					GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
					0, 0, ret->state_or_province_name,
					&len);

  len = sizeof (ret->email);
  gnutls_x509_crt_get_issuer_dn_by_oid (xcert, GNUTLS_OID_PKCS9_EMAIL, 0,
					0, ret->email, &len);

  gnutls_x509_crt_deinit (xcert);

  return 0;
}