GNUTLS_SKIP_GLOBAL_INIT
void doit(void)
{
int ret;
gnutls_x509_crt_t crt;
ret = gnutls_x509_crt_init(&crt);
if (ret >= 0) {
if (!weak_symbol_works)
exit(77);
fail("Library is already initialized\n");
}
gnutls_global_init();
ret = gnutls_x509_crt_init(&crt);
if (ret < 0) {
fail("Could not init certificate!\n");
}
gnutls_x509_crt_deinit(crt);
gnutls_global_deinit();
}
GNUTLS_SKIP_GLOBAL_INIT
void doit(void)
{
#ifdef _WIN32
/* weak symbols don't seem to work in windows */
exit(77);
#else
int ret;
gnutls_x509_crt_t crt;
ret = gnutls_x509_crt_init(&crt);
if (ret >= 0) {
fail("Library is already initialized\n");
}
gnutls_global_init();
ret = gnutls_x509_crt_init(&crt);
if (ret < 0) {
fail("Could not init certificate!\n");
}
gnutls_x509_crt_deinit(crt);
gnutls_global_deinit();
#endif
}
/**
* Enables SSL for the given connection.
*
* @param connection The connection to enable SSL for.
*
* @return IDEVICE_E_SUCCESS on success, IDEVICE_E_INVALID_ARG when connection
* is NULL or connection->ssl_data is non-NULL, or IDEVICE_E_SSL_ERROR when
* SSL initialization, setup, or handshake fails.
*/
idevice_error_t idevice_connection_enable_ssl(idevice_connection_t connection)
{
if (!connection || connection->ssl_data)
return IDEVICE_E_INVALID_ARG;
idevice_error_t ret = IDEVICE_E_SSL_ERROR;
uint32_t return_me = 0;
ssl_data_t ssl_data_loc = (ssl_data_t)malloc(sizeof(struct ssl_data_private));
/* Set up GnuTLS... */
debug_info("enabling SSL mode");
errno = 0;
gnutls_global_init();
gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
gnutls_certificate_client_set_retrieve_function (ssl_data_loc->certificate, internal_cert_callback);
gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
gnutls_priority_set_direct(ssl_data_loc->session, "NONE:+VERS-SSL3.0:+ANON-DH:+RSA:+AES-128-CBC:+AES-256-CBC:+SHA1:+MD5:+COMP-NULL", NULL);
gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
gnutls_session_set_ptr(ssl_data_loc->session, ssl_data_loc);
gnutls_x509_crt_init(&ssl_data_loc->root_cert);
gnutls_x509_crt_init(&ssl_data_loc->host_cert);
gnutls_x509_privkey_init(&ssl_data_loc->root_privkey);
gnutls_x509_privkey_init(&ssl_data_loc->host_privkey);
userpref_error_t uerr = userpref_get_keys_and_certs(ssl_data_loc->root_privkey, ssl_data_loc->root_cert, ssl_data_loc->host_privkey, ssl_data_loc->host_cert);
if (uerr != USERPREF_E_SUCCESS) {
debug_info("Error %d when loading keys and certificates! %d", uerr);
}
debug_info("GnuTLS step 1...");
gnutls_transport_set_ptr(ssl_data_loc->session, (gnutls_transport_ptr_t)connection);
debug_info("GnuTLS step 2...");
gnutls_transport_set_push_function(ssl_data_loc->session, (gnutls_push_func) & internal_ssl_write);
debug_info("GnuTLS step 3...");
gnutls_transport_set_pull_function(ssl_data_loc->session, (gnutls_pull_func) & internal_ssl_read);
debug_info("GnuTLS step 4 -- now handshaking...");
if (errno)
debug_info("WARN: errno says %s before handshake!", strerror(errno));
return_me = gnutls_handshake(ssl_data_loc->session);
debug_info("GnuTLS handshake done...");
if (return_me != GNUTLS_E_SUCCESS) {
internal_ssl_cleanup(ssl_data_loc);
free(ssl_data_loc);
debug_info("GnuTLS reported something wrong.");
gnutls_perror(return_me);
debug_info("oh.. errno says %s", strerror(errno));
} else {
connection->ssl_data = ssl_data_loc;
ret = IDEVICE_E_SUCCESS;
debug_info("SSL mode enabled");
}
return ret;
}
int
rb_get_ssl_certfp(rb_fde_t *F, uint8_t certfp[RB_SSL_CERTFP_LEN], int method)
{
gnutls_x509_crt_t cert;
gnutls_digest_algorithm_t algo;
unsigned int cert_list_size;
const gnutls_datum_t *cert_list;
uint8_t digest[RB_SSL_CERTFP_LEN * 2];
size_t digest_size;
int len;
if (gnutls_certificate_type_get(SSL_P(F)) != GNUTLS_CRT_X509)
return 0;
if (gnutls_x509_crt_init(&cert) < 0)
return 0;
cert_list_size = 0;
cert_list = gnutls_certificate_get_peers(SSL_P(F), &cert_list_size);
if (cert_list == NULL)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
if (gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
switch(method)
{
case RB_SSL_CERTFP_METH_SHA1:
algo = GNUTLS_DIG_SHA1;
len = RB_SSL_CERTFP_LEN_SHA1;
break;
case RB_SSL_CERTFP_METH_SHA256:
algo = GNUTLS_DIG_SHA256;
len = RB_SSL_CERTFP_LEN_SHA256;
break;
case RB_SSL_CERTFP_METH_SHA512:
algo = GNUTLS_DIG_SHA512;
len = RB_SSL_CERTFP_LEN_SHA512;
break;
default:
return 0;
}
if (gnutls_x509_crt_get_fingerprint(cert, algo, digest, &digest_size) < 0)
{
gnutls_x509_crt_deinit(cert);
return 0;
}
memcpy(certfp, digest, len);
gnutls_x509_crt_deinit(cert);
return len;
}
/* Returns a copy certificate of certificate SRC. */
static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
{
int ret;
size_t size;
gnutls_datum tmp;
gnutls_x509_crt dest;
if (gnutls_x509_crt_init(&dest) != 0) {
return NULL;
}
if (gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, NULL, &size)
!= GNUTLS_E_SHORT_MEMORY_BUFFER) {
gnutls_x509_crt_deinit(dest);
return NULL;
}
tmp.data = ne_malloc(size);
ret = gnutls_x509_crt_export(src, GNUTLS_X509_FMT_DER, tmp.data, &size);
if (ret == 0) {
tmp.size = size;
ret = gnutls_x509_crt_import(dest, &tmp, GNUTLS_X509_FMT_DER);
}
if (ret) {
gnutls_x509_crt_deinit(dest);
dest = NULL;
}
ne_free(tmp.data);
return dest;
}
ne_ssl_certificate *ne_ssl_cert_import(const char *data)
{
int ret;
size_t len;
unsigned char *der;
gnutls_datum buffer = { NULL, 0 };
gnutls_x509_crt x5;
if (gnutls_x509_crt_init(&x5) != 0)
return NULL;
/* decode the base64 to get the raw DER representation */
len = ne_unbase64(data, &der);
if (len == 0) return NULL;
buffer.data = der;
buffer.size = len;
ret = gnutls_x509_crt_import(x5, &buffer, GNUTLS_X509_FMT_DER);
ne_free(der);
if (ret < 0) {
gnutls_x509_crt_deinit(x5);
return NULL;
}
return populate_cert(ne_calloc(sizeof(struct ne_ssl_certificate_s)), x5);
}
/** Transforms a gnutls_datum containing an X.509 certificate into a Certificate instance under the x509_gnutls scheme
*
* @param dt Datum to transform
* @param mode GnuTLS certificate format specifier (GNUTLS_X509_FMT_PEM for
* reading from files, and GNUTLS_X509_FMT_DER for converting
* "over the wire" certs for SSL)
*
* @return A newly allocated Certificate structure of the x509_gnutls scheme
*/
static PurpleCertificate *
x509_import_from_datum(const gnutls_datum_t dt, gnutls_x509_crt_fmt_t mode)
{
/* Internal certificate data structure */
x509_crtdata_t *certdat;
/* New certificate to return */
PurpleCertificate * crt;
/* Allocate and prepare the internal certificate data */
certdat = g_new0(x509_crtdata_t, 1);
if (gnutls_x509_crt_init(&(certdat->crt)) != 0) {
g_free(certdat);
return NULL;
}
certdat->refcount = 0;
/* Perform the actual certificate parse */
/* Yes, certdat->crt should be passed as-is */
if (gnutls_x509_crt_import(certdat->crt, &dt, mode) != 0) {
g_free(certdat);
return NULL;
}
/* Allocate the certificate and load it with data */
crt = g_new0(PurpleCertificate, 1);
crt->scheme = &x509_gnutls;
crt->data = x509_crtdata_addref(certdat);
return crt;
}
static void print_x509_info_compact(gnutls_session_t session)
{
gnutls_x509_crt_t crt;
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
int ret;
gnutls_datum_t cinfo;
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
if (cert_list_size == 0) {
fprintf(stderr, "No certificates found!\n");
return;
}
gnutls_x509_crt_init(&crt);
ret =
gnutls_x509_crt_import(crt, &cert_list[0],
GNUTLS_X509_FMT_DER);
if (ret < 0) {
fprintf(stderr, "Decoding error: %s\n",
gnutls_strerror(ret));
return;
}
ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_COMPACT, &cinfo);
if (ret == 0) {
printf("- X.509 cert: %s\n", cinfo.data);
gnutls_free(cinfo.data);
}
gnutls_x509_crt_deinit(crt);
}
/*-
* gnutls_x509_extract_certificate_serial - This function returns the certificate's serial number
* @cert: is an X.509 DER encoded certificate
* @result: The place where the serial number will be copied
* @result_size: Holds the size of the result field.
*
* This function will return the X.509 certificate's serial number.
* This is obtained by the X509 Certificate serialNumber
* field. Serial is not always a 32 or 64bit number. Some CAs use
* large serial numbers, thus it may be wise to handle it as something
* opaque.
* Returns a negative value in case of an error.
*
-*/
int
gnutls_x509_extract_certificate_serial (const gnutls_datum_t * cert,
char *result, int *result_size)
{
gnutls_x509_crt_t xcert;
size_t size = *result_size;
int ret;
ret = gnutls_x509_crt_init (&xcert);
if (ret < 0)
return ret;
ret = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
if (ret < 0)
{
gnutls_x509_crt_deinit (xcert);
return ret;
}
ret = gnutls_x509_crt_get_serial (xcert, result, &size);
*result_size = size;
gnutls_x509_crt_deinit (xcert);
return ret;
}
static gnutls_x509_crt_t
load_cert (void)
{
gnutls_x509_crt_t crt;
int ret;
gnutls_datum_t dat;
size_t size;
if (!HAVE_OPT(LOAD_CERT))
error (EXIT_FAILURE, 0, "missing --load-cert");
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));
dat.data = (void*)read_binary_file (OPT_ARG(LOAD_CERT), &size);
dat.size = size;
if (!dat.data)
error (EXIT_FAILURE, errno, "reading --load-cert: %s", OPT_ARG(LOAD_CERT));
ret = gnutls_x509_crt_import (crt, &dat, encoding);
free (dat.data);
if (ret < 0)
error (EXIT_FAILURE, 0, "importing --load-cert: %s: %s",
OPT_ARG(LOAD_CERT), gnutls_strerror (ret));
return crt;
}
/* Return the certificate chain sent by the peer, or NULL on error. */
static ne_ssl_certificate *make_peers_chain(gnutls_session sock)
{
ne_ssl_certificate *current = NULL, *top = NULL;
const gnutls_datum *certs;
unsigned int n, count;
certs = gnutls_certificate_get_peers(sock, &count);
if (!certs) {
return NULL;
}
for (n = 0; n < count; n++) {
ne_ssl_certificate *cert;
gnutls_x509_crt x5;
if (gnutls_x509_crt_init(&x5) ||
gnutls_x509_crt_import(x5, &certs[n], GNUTLS_X509_FMT_DER)) {
ne_ssl_cert_free(top);
return NULL;
}
cert = populate_cert(ne_malloc(sizeof *cert), x5);
if (top == NULL) {
current = top = cert;
} else {
current->issuer = cert;
current = cert;
}
}
return top;
}
static int etpan_certificate_check(const unsigned char *certificate, int len, void *data)
{
#ifdef USE_GNUTLS
struct connect_param *param = (struct connect_param *)data;
gnutls_x509_crt_t cert = NULL;
gnutls_datum_t tmp;
if (certificate == NULL || len < 0) {
g_warning("no cert presented.\n");
return 0;
}
tmp.data = malloc(len);
memcpy(tmp.data, certificate, len);
tmp.size = len;
gnutls_x509_crt_init(&cert);
if (gnutls_x509_crt_import(cert, &tmp, GNUTLS_X509_FMT_DER) < 0) {
g_warning("nntp: can't get cert\n");
return 0;
} else if (ssl_certificate_check(cert, (guint)-1,
(gchar *)param->server, (gushort)param->port) == TRUE) {
gnutls_x509_crt_deinit(cert);
return 0;
} else {
gnutls_x509_crt_deinit(cert);
return -1;
}
#endif
return 0;
}
int crypto_push_cert(crypto_ctx *ctx,
const unsigned char *data,
size_t len,
crypto_error **error)
{
gnutls_x509_crt_t cert;
gnutls_datum dt;
int err;
if (!ctx || !data || (len <= 0)) {
crypto_error_set(error, 1, 0, "invalid crypto context or data");
return 1;
}
if (ctx->num >= CERT_STACK_DEPTH) {
crypto_error_set(error, 1, 0, "too many certificates in the chain.");
return 1;
}
gnutls_x509_crt_init (&cert);
dt.data = (unsigned char *) data;
dt.size = len;
err = gnutls_x509_crt_import (cert, &dt, GNUTLS_X509_FMT_DER);
if (err != GNUTLS_E_SUCCESS) {
gnutls_x509_crt_deinit (cert);
crypto_error_set(error, 1, 0, "failed to decode certificate");
return 1;
}
ctx->stack[ctx->num] = cert;
ctx->num++;
return 0;
}
static gnutls_x509_crt_t /* O - Certificate */
http_gnutls_create_credential(
http_credential_t *credential) /* I - Credential */
{
int result; /* Result from GNU TLS */
gnutls_x509_crt_t cert; /* Certificate */
gnutls_datum_t datum; /* Data record */
DEBUG_printf(("3http_gnutls_create_credential(credential=%p)", credential));
if (!credential)
return (NULL);
if ((result = gnutls_x509_crt_init(&cert)) < 0)
{
DEBUG_printf(("4http_gnutls_create_credential: init error: %s", gnutls_strerror(result)));
return (NULL);
}
datum.data = credential->data;
datum.size = credential->datalen;
if ((result = gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER)) < 0)
{
DEBUG_printf(("4http_gnutls_create_credential: import error: %s", gnutls_strerror(result)));
gnutls_x509_crt_deinit(cert);
return (NULL);
}
return (cert);
}
/* Reads a DER encoded certificate list from memory and stores it to a
* gnutls_cert structure. Returns the number of certificates parsed.
*/
static int
parse_der_cert_mem (gnutls_cert ** cert_list, unsigned *ncerts,
const void *input_cert, int input_cert_size)
{
gnutls_datum_t tmp;
gnutls_x509_crt_t cert;
int ret;
ret = gnutls_x509_crt_init (&cert);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
tmp.data = (opaque *) input_cert;
tmp.size = input_cert_size;
ret = gnutls_x509_crt_import (cert, &tmp, GNUTLS_X509_FMT_DER);
if (ret < 0)
{
gnutls_assert ();
gnutls_x509_crt_deinit (cert);
return ret;
}
ret = parse_crt_mem (cert_list, ncerts, cert);
gnutls_x509_crt_deinit (cert);
return ret;
}
/* This function will convert a der certificate to a format
* (structure) that gnutls can understand and use. Actually the
* important thing on this function is that it extracts the
* certificate's (public key) parameters.
*
* The noext flag is used to complete the handshake even if the
* extensions found in the certificate are unsupported and critical.
* The critical extensions will be catched by the verification functions.
*/
int
_gnutls_x509_raw_cert_to_gcert (gnutls_cert * gcert,
const gnutls_datum_t * derCert,
int flags /* OR of ConvFlags */ )
{
int ret;
gnutls_x509_crt_t cert;
ret = gnutls_x509_crt_init (&cert);
if (ret < 0)
{
gnutls_assert ();
return ret;
}
ret = gnutls_x509_crt_import (cert, derCert, GNUTLS_X509_FMT_DER);
if (ret < 0)
{
gnutls_assert ();
gnutls_x509_crt_deinit (cert);
return ret;
}
ret = _gnutls_x509_crt_to_gcert (gcert, cert, flags);
gnutls_x509_crt_deinit (cert);
return ret;
}
int
verify_certificate (gnutls_session session, char* CN)
{
unsigned int cert_list_size;
const gnutls_datum *cert_list;
int ret;
char dn[MAX_DN_LEN];
size_t dn_len = MAX_DN_LEN;
gnutls_x509_crt cert;
ret = gnutls_certificate_verify_peers(session);
if (ret < 0)
{
quorum_debug(LOG_DEBUG,"gnutls_certificate_verify_peers2 returns error");
return -1;
}
if (gnutls_certificate_type_get (session) != GNUTLS_CRT_X509) {
quorum_debug(LOG_DEBUG,"The certificate is not a x.509 cert");
return -1;
}
if (gnutls_x509_crt_init (&cert) < 0)
{
quorum_debug(LOG_DEBUG,"error in gnutls_x509_crt_init");
return -1;
}
cert_list = gnutls_certificate_get_peers (session, &cert_list_size);
if (cert_list == NULL)
{
quorum_debug(LOG_DEBUG,"No certificate was found!");
return -1;
}
if (gnutls_x509_crt_import (cert, &cert_list[0], GNUTLS_X509_FMT_DER) < 0)
{
quorum_debug(LOG_DEBUG,"error parsing certificate");
return -1;
}
if (gnutls_x509_crt_get_expiration_time (cert) < time (0))
{
quorum_debug(LOG_DEBUG,"The certificate has expired");
return -1;
}
if (gnutls_x509_crt_get_activation_time (cert) > time (0))
{
quorum_debug(LOG_DEBUG,"The certificate is not yet activated");
return -1;
}
memset(dn, 0, MAX_DN_LEN);
gnutls_x509_crt_get_dn(cert, dn, &dn_len);
strncpy(CN, strstr(dn, "CN=")+3, MAX_DN_LEN);
CN[MAX_DN_LEN-1]= '\0';
quorum_debug(LOG_DEBUG,"The certificate cn:%s",CN);
gnutls_x509_crt_deinit (cert);
return 0;
}
/**
* gnutls_pcert_import_x509_raw:
* @pcert: The pcert structure
* @cert: The raw certificate to be imported
* @format: The format of the certificate
* @flags: zero for now
*
* This convenience function will import the given certificate to a
* #gnutls_pcert_st structure. The structure must be deinitialized
* afterwards using gnutls_pcert_deinit();
*
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
int gnutls_pcert_import_x509_raw (gnutls_pcert_st *pcert,
const gnutls_datum_t* cert,
gnutls_x509_crt_fmt_t format, unsigned int flags)
{
int ret;
gnutls_x509_crt_t crt;
memset(pcert, 0, sizeof(*pcert));
ret = gnutls_x509_crt_init(&crt);
if (ret < 0)
return gnutls_assert_val(ret);
ret = gnutls_x509_crt_import(crt, cert, format);
if (ret < 0)
{
ret = gnutls_assert_val(ret);
goto cleanup;
}
ret = gnutls_pcert_import_x509(pcert, crt, flags);
if (ret < 0)
{
ret = gnutls_assert_val(ret);
goto cleanup;
}
ret = 0;
cleanup:
gnutls_x509_crt_deinit(crt);
return ret;
}
/*-
* gnutls_x509_extract_certificate_subject_alt_name - This function returns the certificate's alternative name, if any
* @cert: should contain an X.509 DER encoded certificate
* @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.)
* @ret: is the place where the alternative name will be copied to
* @ret_size: holds the size of ret.
*
* This function will return the alternative names, contained in the
* given certificate.
*
* This is specified in X509v3 Certificate Extensions.
* GNUTLS will return the Alternative name, or a negative
* error code.
* Returns GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not enough to hold the alternative
* name, or the type of alternative name if everything was ok. The type is
* one of the enumerated GNUTLS_X509_SUBJECT_ALT_NAME.
*
* If the certificate does not have an Alternative name with the specified
* sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
*
-*/
int
gnutls_x509_extract_certificate_subject_alt_name (const gnutls_datum_t *
cert, int seq,
char *ret, int *ret_size)
{
gnutls_x509_crt_t xcert;
int result;
size_t size = *ret_size;
result = gnutls_x509_crt_init (&xcert);
if (result < 0)
return result;
result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
if (result < 0)
{
gnutls_x509_crt_deinit (xcert);
return result;
}
result =
gnutls_x509_crt_get_subject_alt_name (xcert, seq, ret, &size, NULL);
*ret_size = size;
gnutls_x509_crt_deinit (xcert);
return result;
}
int
main (void)
{
gnutls_x509_crt_t crt;
gnutls_datum_t data = { "foo", 3 };
gnutls_datum_t sig = { "bar", 3 };
int ret;
gnutls_global_init ();
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
return 1;
ret = gnutls_x509_crt_import (crt, &dsa_cert_dat, GNUTLS_X509_FMT_PEM);
if (ret < 0)
return 1;
ret = gnutls_x509_crt_verify_data (crt, 0, &data, &sig);
if (ret < 0)
return 1;
printf ("success!\n");
gnutls_x509_crt_deinit (crt);
gnutls_global_deinit ();
return 0;
}
/*-
* gnutls_x509_extract_certificate_dn_string - This function returns the certificate's distinguished name
* @cert: should contain an X.509 DER encoded certificate
* @buf: a pointer to a structure to hold the peer's name
* @sizeof_buf: holds the size of 'buf'
* @issuer: if non zero, then extract the name of the issuer, instead of the holder
*
* This function will copy the name of the certificate holder in the provided buffer. The name
* will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253.
*
* Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough,
* and 0 on success.
*
-*/
int
gnutls_x509_extract_certificate_dn_string (char *buf,
unsigned int sizeof_buf,
const gnutls_datum_t * cert,
int issuer)
{
gnutls_x509_crt_t xcert;
int result;
result = gnutls_x509_crt_init (&xcert);
if (result < 0)
return result;
result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
if (result < 0)
{
gnutls_x509_crt_deinit (xcert);
return result;
}
if (!issuer)
result = gnutls_x509_crt_get_dn (xcert, buf, &sizeof_buf);
else
result = gnutls_x509_crt_get_issuer_dn (xcert, buf, &sizeof_buf);
gnutls_x509_crt_deinit (xcert);
return result;
}
/* Loads the CA's certificate
*/
gnutls_x509_crt_t
load_ca_cert (common_info_st * info)
{
gnutls_x509_crt_t crt;
int ret;
gnutls_datum_t dat;
size_t size;
if (info->ca == NULL)
error (EXIT_FAILURE, 0, "missing --load-ca-certificate");
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
error (EXIT_FAILURE, 0, "crt_init: %s", gnutls_strerror (ret));
dat.data = read_binary_file (info->ca, &size);
dat.size = size;
if (!dat.data)
error (EXIT_FAILURE, errno, "reading --load-ca-certificate: %s",
info->ca);
ret = gnutls_x509_crt_import (crt, &dat, info->incert_format);
free (dat.data);
if (ret < 0)
error (EXIT_FAILURE, 0, "importing --load-ca-certificate: %s: %s",
info->ca, gnutls_strerror (ret));
return crt;
}
static void build_gnutls_cert_list(HevImpathyTLSVerifier *self)
{
HevImpathyTLSVerifierPrivate *priv =
HEV_IMPATHY_TLS_VERIFIER_GET_PRIVATE(self);
guint num_certs = 0;
guint idx = 0;
GPtrArray *certificate_data = NULL;
g_debug("%s:%d[%s]", __FILE__, __LINE__, __FUNCTION__);
g_object_get(priv->certificate, "cert-data",
&certificate_data, NULL);
num_certs = certificate_data->len;
priv->cert_chain = g_ptr_array_new_with_free_func(
(GDestroyNotify)gnutls_x509_crt_deinit);
for(idx=0; idx<num_certs; idx++)
{
gnutls_x509_crt_t cert = 0;
GArray *one_cert = NULL;
gnutls_datum_t datum = { NULL, 0 };
one_cert = g_ptr_array_index(certificate_data, idx);
datum.data = (guchar *)one_cert->data;
datum.size = one_cert->len;
gnutls_x509_crt_init(&cert);
gnutls_x509_crt_import(cert, &datum, GNUTLS_X509_FMT_DER);
g_ptr_array_add(priv->cert_chain, cert);
}
}
/* loads a the corresponding to the private key public key either from
* a public key object or from a certificate.
*/
static int load_pubkey_obj(gnutls_pkcs11_privkey_t pkey, gnutls_pubkey_t pub)
{
int ret, iret;
gnutls_x509_crt_t crt;
ret = gnutls_pubkey_import_url(pub, pkey->url, pkey->flags);
if (ret >= 0) {
return ret;
}
iret = ret;
/* else try certificate */
ret = gnutls_x509_crt_init(&crt);
if (ret < 0) {
gnutls_assert();
return ret;
}
gnutls_x509_crt_set_pin_function(crt, pkey->pin.cb, pkey->pin.data);
ret = gnutls_x509_crt_import_url(crt, pkey->url, pkey->flags);
if (ret < 0) {
ret = iret;
goto cleanup;
}
ret = gnutls_pubkey_import_x509(pub, crt, 0);
cleanup:
gnutls_x509_crt_deinit(crt);
return ret;
}
void
doit (void)
{
gnutls_datum_t der = { pem, sizeof (pem) };
gnutls_x509_crt_t cert;
gnutls_datum_t out;
int ret;
ret = gnutls_global_init ();
if (ret < 0)
fail ("init %d\n", ret);
ret = gnutls_x509_crt_init (&cert);
if (ret < 0)
fail ("crt_init %d\n", ret);
ret = gnutls_x509_crt_import (cert, &der, GNUTLS_X509_FMT_PEM);
if (ret < 0)
fail ("crt_import %d\n", ret);
ret = gnutls_x509_crt_print (cert, GNUTLS_CRT_PRINT_ONELINE, &out);
if (ret < 0)
fail ("x509_crt_print %d\n", ret);
if (out.size != strlen (info) || strcmp (out.data, info) != 0)
fail ("comparison fail (%d/%d)\nexpect: %s\n got: %.*s\n",
out.size, (int) strlen (info), info, out.size, out.data);
gnutls_x509_crt_deinit (cert);
gnutls_global_deinit ();
gnutls_free (out.data);
if (debug)
success ("done\n");
}
int
tls_import_cert(const uschar * buf, void ** cert)
{
void * reset_point = store_get(0);
gnutls_datum_t datum;
gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
int fail = 0;
if (crt)
gnutls_x509_crt_deinit(crt);
else
gnutls_global_init();
gnutls_x509_crt_init(&crt);
datum.data = string_unprinting(US buf);
datum.size = Ustrlen(datum.data);
if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
{
log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
gnutls_strerror(fail));
fail = 1;
}
else
*cert = (void *)crt;
store_reset(reset_point);
return fail;
}
LIBETPAN_EXPORT
int mailstream_ssl_set_client_certificate_data(struct mailstream_ssl_context * ssl_context,
unsigned char *x509_der, size_t len)
{
#ifdef USE_SSL
#ifndef USE_GNUTLS
X509 *x509 = NULL;
if (x509_der != NULL && len > 0)
x509 = d2i_X509(NULL, (const unsigned char **)&x509_der, len);
ssl_context->client_x509 = (X509 *)x509;
return 0;
#else
gnutls_datum tmp;
int r;
ssl_context->client_x509 = NULL;
if (len == 0)
return 0;
gnutls_x509_crt_init(&(ssl_context->client_x509));
tmp.data = x509_der;
tmp.size = len;
if ((r = gnutls_x509_crt_import(ssl_context->client_x509, &tmp, GNUTLS_X509_FMT_DER)) < 0) {
gnutls_x509_crt_deinit(ssl_context->client_x509); /* ici */
ssl_context->client_x509 = NULL;
return -1;
}
return 0;
#endif
#endif
return -1;
}
static gnutls_x509_crt_t
load_cert (const char *cert_file)
{
gnutls_x509_crt_t crt;
int ret;
gnutls_datum_t data;
size_t size;
ret = gnutls_x509_crt_init (&crt);
if (ret < 0)
exit (1);
data.data = (void *) read_binary_file (cert_file, &size);
data.size = size;
if (!data.data)
{
fprintf (stderr, "Cannot open file: %s\n", cert_file);
exit (1);
}
ret = gnutls_x509_crt_import (crt, &data, GNUTLS_X509_FMT_PEM);
free (data.data);
if (ret < 0)
{
fprintf (stderr, "Cannot import certificate in %s: %s\n",
cert_file, gnutls_strerror (ret));
exit (1);
}
return crt;
}
static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
const gnutls_datum_t *pcert;
unsigned listsize;
gnutls_x509_crt_t cert;
int r;
assert(session);
assert(client_cert);
pcert = gnutls_certificate_get_peers(session, &listsize);
if (!pcert || !listsize) {
log_error("Failed to retrieve certificate chain");
return -EINVAL;
}
r = gnutls_x509_crt_init(&cert);
if (r < 0) {
log_error("Failed to initialize client certificate");
return r;
}
/* Note that by passing values between 0 and listsize here, you
can get access to the CA's certs */
r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
if (r < 0) {
log_error("Failed to import client certificate");
gnutls_x509_crt_deinit(cert);
return r;
}
*client_cert = cert;
return 0;
}
/*-
* gnutls_x509_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name
* @cert: should contain an X.509 DER encoded certificate
* @ret: a pointer to a structure to hold the issuer's name
*
* This function will return the name of the issuer stated in the certificate. The name is a gnutls_x509_dn structure and
* is a obtained by the peer's certificate. If the certificate send by the
* peer is invalid, or in any other failure this function returns error.
* Returns a negative error code in case of an error.
*
-*/
int
gnutls_x509_extract_certificate_issuer_dn (const gnutls_datum_t * cert,
gnutls_x509_dn * ret)
{
gnutls_x509_crt_t xcert;
int result;
size_t len;
result = gnutls_x509_crt_init (&xcert);
if (result < 0)
return result;
result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER);
if (result < 0)
{
gnutls_x509_crt_deinit (xcert);
return result;
}
len = sizeof (ret->country);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_COUNTRY_NAME, 0,
0, ret->country, &len);
len = sizeof (ret->organization);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_ORGANIZATION_NAME,
0, 0, ret->organization, &len);
len = sizeof (ret->organizational_unit_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME,
0, 0,
ret->organizational_unit_name, &len);
len = sizeof (ret->common_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_COMMON_NAME, 0, 0,
ret->common_name, &len);
len = sizeof (ret->locality_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_LOCALITY_NAME, 0,
0, ret->locality_name, &len);
len = sizeof (ret->state_or_province_name);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert,
GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME,
0, 0, ret->state_or_province_name,
&len);
len = sizeof (ret->email);
gnutls_x509_crt_get_issuer_dn_by_oid (xcert, GNUTLS_OID_PKCS9_EMAIL, 0,
0, ret->email, &len);
gnutls_x509_crt_deinit (xcert);
return 0;
}