/* loads a the corresponding to the private key public key either from
* a public key object or from a certificate.
*/
static int load_pubkey_obj(gnutls_pkcs11_privkey_t pkey, gnutls_pubkey_t pub)
{
int ret, iret;
gnutls_x509_crt_t crt;
ret = gnutls_pubkey_import_url(pub, pkey->url, pkey->flags);
if (ret >= 0) {
return ret;
}
iret = ret;
/* else try certificate */
ret = gnutls_x509_crt_init(&crt);
if (ret < 0) {
gnutls_assert();
return ret;
}
gnutls_x509_crt_set_pin_function(crt, pkey->pin.cb, pkey->pin.data);
ret = gnutls_x509_crt_import_url(crt, pkey->url, pkey->flags);
if (ret < 0) {
ret = iret;
goto cleanup;
}
ret = gnutls_pubkey_import_x509(pub, crt, 0);
cleanup:
gnutls_x509_crt_deinit(crt);
return ret;
}
/* Reads a certificate key from a token.
*/
static int
read_cert_url(gnutls_certificate_credentials_t res, gnutls_privkey_t key, const char *url)
{
int ret;
gnutls_x509_crt_t crt = NULL;
gnutls_pcert_st *ccert = NULL;
gnutls_str_array_t names;
gnutls_datum_t t = {NULL, 0};
unsigned i, count = 0;
_gnutls_str_array_init(&names);
ccert = gnutls_malloc(sizeof(*ccert)*MAX_PKCS11_CERT_CHAIN);
if (ccert == NULL) {
gnutls_assert();
ret = GNUTLS_E_MEMORY_ERROR;
goto cleanup;
}
ret = gnutls_x509_crt_init(&crt);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
if (res->pin.cb)
gnutls_x509_crt_set_pin_function(crt, res->pin.cb,
res->pin.data);
ret = gnutls_x509_crt_import_url(crt, url, 0);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
ret =
gnutls_x509_crt_import_url(crt, url,
GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = _gnutls_get_x509_name(crt, &names);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
/* Try to load the whole certificate chain from the PKCS #11 token */
for (i=0;i<MAX_PKCS11_CERT_CHAIN;i++) {
ret = gnutls_x509_crt_check_issuer(crt, crt);
if (i > 0 && ret != 0) {
/* self signed */
break;
}
ret = gnutls_pcert_import_x509(&ccert[i], crt, 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
count++;
ret = _gnutls_get_raw_issuer(url, crt, &t, 0);
if (ret < 0)
break;
gnutls_x509_crt_deinit(crt);
crt = NULL;
ret = gnutls_x509_crt_init(&crt);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret = gnutls_x509_crt_import(crt, &t, GNUTLS_X509_FMT_DER);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
gnutls_free(t.data);
}
ret = _gnutls_certificate_credential_append_keypair(res, key, names, ccert, count);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
if (crt != NULL)
gnutls_x509_crt_deinit(crt);
return 0;
cleanup:
if (crt != NULL)
gnutls_x509_crt_deinit(crt);
gnutls_free(t.data);
_gnutls_str_array_clear(&names);
gnutls_free(ccert);
return ret;
}
/* Load the certificate and the private key.
*/
static void
load_keys (void)
{
unsigned int crt_num;
int ret;
unsigned int i;
gnutls_datum_t data = { NULL, 0 };
gnutls_x509_crt_t crt_list[MAX_CRT];
unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE];
if (x509_certfile != NULL && x509_keyfile != NULL)
{
#ifdef ENABLE_PKCS11
if (strncmp (x509_certfile, "pkcs11:", 7) == 0)
{
crt_num = 1;
gnutls_x509_crt_init (&crt_list[0]);
gnutls_x509_crt_set_pin_function(crt_list[0], pin_callback, NULL);
ret =
gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, 0);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
ret =
gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile,
GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
x509_crt_size = 1;
}
else
#endif /* ENABLE_PKCS11 */
{
ret = gnutls_load_file (x509_certfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
crt_num = MAX_CRT;
ret =
gnutls_x509_crt_list_import (crt_list, &crt_num, &data,
x509ctype,
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
if (ret < 0)
{
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
fprintf (stderr,
"*** Error loading cert file: Too many certs %d\n",
crt_num);
}
else
{
fprintf (stderr,
"*** Error loading cert file: %s\n",
gnutls_strerror (ret));
}
exit (1);
}
x509_crt_size = ret;
}
for (i=0;i<x509_crt_size;i++)
{
ret = gnutls_pcert_import_x509(&x509_crt[i], crt_list[i], 0);
if (ret < 0)
{
fprintf(stderr, "*** Error importing crt to pcert: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_deinit(crt_list[i]);
}
gnutls_free (data.data);
ret = gnutls_privkey_init(&x509_key);
if (ret < 0)
{
fprintf (stderr, "*** Error initializing key: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_privkey_set_pin_function(x509_key, pin_callback, NULL);
if (gnutls_url_is_supported(x509_keyfile) != 0)
{
ret =
gnutls_privkey_import_url (x509_key, x509_keyfile, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
}
else
{
ret = gnutls_load_file (x509_keyfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file.\n");
exit (1);
}
ret = gnutls_privkey_import_x509_raw( x509_key, &data, x509ctype, NULL, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_free(data.data);
}
fprintf (stdout, "Processed %d client X.509 certificates...\n",
x509_crt_size);
}
#ifdef ENABLE_OPENPGP
if (HAVE_OPT(PGPSUBKEY))
{
get_keyid (keyid, OPT_ARG(PGPSUBKEY));
}
if (pgp_certfile != NULL && pgp_keyfile != NULL)
{
gnutls_openpgp_crt_t tmp_pgp_crt;
ret = gnutls_load_file (pgp_certfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading PGP cert file.\n");
exit (1);
}
gnutls_openpgp_crt_init (&tmp_pgp_crt);
ret =
gnutls_pcert_import_openpgp_raw (&pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64, HAVE_OPT(PGPSUBKEY)?keyid:NULL, 0);
if (ret < 0)
{
fprintf (stderr,
"*** Error loading PGP cert file: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_free (data.data);
ret = gnutls_privkey_init(&pgp_key);
if (ret < 0)
{
fprintf (stderr, "*** Error initializing key: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_privkey_set_pin_function(pgp_key, pin_callback, NULL);
if (gnutls_url_is_supported (pgp_keyfile))
{
ret = gnutls_privkey_import_url( pgp_key, pgp_keyfile, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
}
else
{
ret = gnutls_load_file (pgp_keyfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file.\n");
exit (1);
}
if (HAVE_OPT(PGPSUBKEY))
ret = gnutls_privkey_import_openpgp_raw( pgp_key, &data, x509ctype, keyid, NULL);
else
ret = gnutls_privkey_import_openpgp_raw( pgp_key, &data, x509ctype, NULL, NULL);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_free(data.data);
}
fprintf (stdout, "Processed 1 client PGP certificate...\n");
}
#endif
}
