diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-01-14 09:33:49 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2002-01-14 09:33:49 +0000 |
commit | 504e66b8d25a354109f9e26ad9b7884ab7c8a6e1 (patch) | |
tree | 59677bd8ec7c55fa264c0934a67f4e3fd576fff9 | |
parent | 6bde3051be5a3894dc5e795d0c4cf846f4412ac5 (diff) | |
download | gnutls-504e66b8d25a354109f9e26ad9b7884ab7c8a6e1.tar.gz |
Added gnutls_x509pki_set_trust_mem() and gnutls_x509pki_set_key_mem()
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | THANKS | 20 | ||||
-rw-r--r-- | lib/gnutls.h.in.in | 3 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 210 | ||||
-rw-r--r-- | lib/x509_b64.c | 2 | ||||
-rw-r--r-- | lib/x509_b64.h | 4 |
6 files changed, 189 insertions, 53 deletions
@@ -1,7 +1,8 @@ Version ?.?.? - Added gnutls_x509pki_verify_certificate() +- Added gnutls_x509pki_set_trust_mem() and gnutls_x509pki_set_key_mem() -Version 0.3.2 (5/01/2001) +Version 0.3.2 (5/01/2002) - Corrected bug which did not allow a client to accept multiple CA names - Added gnutls_fingerprint() - Added gnutls_x509pki_extract_certificate_serial() @@ -1,8 +1,12 @@ -Werner Koch <wk@gnupg.org> -Tarun Upadhyay <tarun@poboxes.com> -Neil Spring <nspring@saavie.org> -Paul Sheer <psheer@icon.co.za> -Jon Nelson <jnelson@securepipe.com> -Simon Josefsson <jas@extundo.com> -Marco d'Itri <md@linux.it> -Mike Siers <mikes@poliac.com> +Here is a list of people, who helped in GnuTLS development. +Please help us to keep it complete and free of errors. + +Werner Koch <wk@gnupg.org> +Tarun Upadhyay <tarun@poboxes.com> +Neil Spring <nspring@saavie.org> +Paul Sheer <psheer@icon.co.za> +Jon Nelson <jnelson@securepipe.com> +Simon Josefsson <jas@extundo.com> +Marco d'Itri <md@linux.it> +Mike Siers <mikes@poliac.com> + diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index d9001b50f4..7f324229c2 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -210,6 +210,9 @@ int gnutls_x509pki_allocate_sc( GNUTLS_X509PKI_CREDENTIALS *sc, int ncerts); int gnutls_x509pki_set_key_file( GNUTLS_X509PKI_CREDENTIALS res, char *CERTFILE, char* KEYFILE); int gnutls_x509pki_set_trust_file( GNUTLS_X509PKI_CREDENTIALS res, char* CAFILE, char* CRLFILE); +int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum *CA, const gnutls_datum *CRL); +int gnutls_x509pki_set_key_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum* CERT, const gnutls_datum* KEY); + #define gnutls_x509pki_free_server_sc gnutls_x509pki_free_sc #define gnutls_x509pki_allocate_server_sc gnutls_x509pki_allocate_sc #define gnutls_x509pki_set_server_key_file gnutls_x509pki_set_key_file diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 702d9ca8bf..97d9124aa5 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -136,26 +136,18 @@ void gnutls_x509pki_free_sc(GNUTLS_X509PKI_CREDENTIALS sc) #define MAX_FILE_SIZE 100*1024 #define CERT_SEP "-----BEGIN" -/* Reads a base64 encoded certificate file +/* Reads a base64 encoded certificate from memory */ -static int read_cert_file(GNUTLS_X509PKI_CREDENTIALS res, char *certfile) +static int read_cert_mem(GNUTLS_X509PKI_CREDENTIALS res, const char *cert, int cert_size) { int siz, i, siz2; opaque *b64; - char x[MAX_FILE_SIZE]; - char *ptr; - FILE *fd1; + const char *ptr; gnutls_datum tmp; int ret; - fd1 = fopen(certfile, "r"); - if (fd1 == NULL) - return GNUTLS_E_UNKNOWN_ERROR; - - siz = fread(x, 1, sizeof(x), fd1); - fclose(fd1); - - ptr = x; + ptr = cert; + siz = cert_size; i = 1; res->cert_list[res->ncerts] = NULL; @@ -214,29 +206,20 @@ static int read_cert_file(GNUTLS_X509PKI_CREDENTIALS res, char *certfile) return 0; } -/* Reads a base64 encoded CA file (file contains multiple certificate - * authorities). This is to be called once. +/* Reads a base64 encoded CA list from memory + * This is to be called once. */ -static int read_ca_file(GNUTLS_X509PKI_CREDENTIALS res, char *cafile) +static int read_ca_mem(GNUTLS_X509PKI_CREDENTIALS res, const char *ca, int ca_size) { int siz, siz2, i; opaque *b64; - char x[MAX_FILE_SIZE]; - char *ptr; - FILE *fd1; + const char *ptr; int ret; gnutls_datum tmp; - fd1 = fopen(cafile, "r"); - if (fd1 == NULL) { - gnutls_assert(); - return GNUTLS_E_UNKNOWN_ERROR; - } + siz = ca_size; - siz = fread(x, 1, sizeof(x), fd1); - fclose(fd1); - - ptr = x; + ptr = ca; res->ncas = 0; i = 1; @@ -287,26 +270,18 @@ static int read_ca_file(GNUTLS_X509PKI_CREDENTIALS res, char *cafile) } -/* Reads a PEM encoded PKCS-1 RSA private key file +/* Reads a PEM encoded PKCS-1 RSA private key from memory */ -static int read_key_file(GNUTLS_X509PKI_CREDENTIALS res, char *keyfile) +static int read_key_mem(GNUTLS_X509PKI_CREDENTIALS res, const char *key, int key_size) { int siz, ret; opaque *b64; gnutls_datum tmp; - char x[MAX_FILE_SIZE]; - FILE *fd2; - fd2 = fopen(keyfile, "r"); - if (fd2 == NULL) - return GNUTLS_E_UNKNOWN_ERROR; + /* read PKCS-1 private key */ + siz = key_size; -/* second file - PKCS-1 private key */ - - siz = fread(x, 1, sizeof(x), fd2); - fclose(fd2); - - siz = _gnutls_fbase64_decode(x, siz, &b64); + siz = _gnutls_fbase64_decode(key, siz, &b64); if (siz < 0) { gnutls_assert(); @@ -329,6 +304,64 @@ static int read_key_file(GNUTLS_X509PKI_CREDENTIALS res, char *keyfile) return 0; } +/* Reads a base64 encoded certificate file + */ +static int read_cert_file(GNUTLS_X509PKI_CREDENTIALS res, char *certfile) +{ + int siz; + char x[MAX_FILE_SIZE]; + FILE *fd1; + + fd1 = fopen(certfile, "r"); + if (fd1 == NULL) + return GNUTLS_E_UNKNOWN_ERROR; + + siz = fread(x, 1, sizeof(x), fd1); + fclose(fd1); + + return read_cert_mem( res, x, siz); + +} + +/* Reads a base64 encoded CA file (file contains multiple certificate + * authorities). This is to be called once. + */ +static int read_ca_file(GNUTLS_X509PKI_CREDENTIALS res, char *cafile) +{ + int siz; + char x[MAX_FILE_SIZE]; + FILE *fd1; + + fd1 = fopen(cafile, "r"); + if (fd1 == NULL) { + gnutls_assert(); + return GNUTLS_E_UNKNOWN_ERROR; + } + + siz = fread(x, 1, sizeof(x), fd1); + fclose(fd1); + + return read_ca_mem( res, x, siz); +} + + +/* Reads a PEM encoded PKCS-1 RSA private key file + */ +static int read_key_file(GNUTLS_X509PKI_CREDENTIALS res, char *keyfile) +{ + int siz; + char x[MAX_FILE_SIZE]; + FILE *fd2; + + fd2 = fopen(keyfile, "r"); + if (fd2 == NULL) + return GNUTLS_E_UNKNOWN_ERROR; + + siz = fread(x, 1, sizeof(x), fd2); + fclose(fd2); + + return read_key_mem( res, x, siz); +} /** * gnutls_x509pki_allocate_sc - Used to allocate an x509 SERVER CREDENTIALS structure @@ -477,6 +510,101 @@ int gnutls_x509pki_set_trust_file(GNUTLS_X509PKI_CREDENTIALS res, char *CAFILE, } /** + * gnutls_x509pki_set_key_mem - Used to set keys in a GNUTLS_X509PKI_CREDENTIALS structure + * @res: is an &GNUTLS_X509PKI_CREDENTIALS structure. + * @CERT: contains a PEM encoded certificate list (path) for + * the specified private key + * @KEY: is a PEM encoded private key + * + * This function sets a certificate/private key pair in the + * GNUTLS_X509PKI_CREDENTIALS structure. This function may be called + * more than once (in case multiple keys/certificates exist for the + * server). + * + * Currently only PKCS-1 PEM encoded RSA private keys are accepted by + * this function. + * + **/ +int gnutls_x509pki_set_key_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum* CERT, + const gnutls_datum* KEY) +{ + int ret; + + /* this should be first + */ + if ((ret = read_key_mem( res, KEY->data, KEY->size)) < 0) + return ret; + + if ((ret = read_cert_mem( res, CERT->data, CERT->size)) < 0) + return ret; + + return 0; +} + +/** + * gnutls_x509pki_set_trust_mem - Used to set trusted CAs in a GNUTLS_X509PKI_CREDENTIALS structure + * @res: is an &GNUTLS_X509PKI_CREDENTIALS structure. + * @CA: is a PEM encoded list of trusted CAs + * @CRL: is a PEM encoded list of CRLs (ignored for now) + * + * This function sets the trusted CAs in order to verify client + * certificates. + **/ +int gnutls_x509pki_set_trust_mem(GNUTLS_X509PKI_CREDENTIALS res, const gnutls_datum *CA, + const gnutls_datum *CRL) +{ + int ret, size, i; + opaque *pdata; + gnutls_datum tmp; + + if ((ret = read_ca_mem(res, CA->data, CA->size)) < 0) + return ret; + + /* Generate the RDN sequence + * This will be sent to clients when a certificate + * request message is sent. + */ + + /* FIXME: in case of a client it is not needed + * to do that. This would save time and memory. + * However we don't have that information available + * here. + */ + + size = 0; + for (i = 0; i < res->ncas; i++) { + if ((ret = _gnutls_find_dn(&tmp, &res->ca_list[i])) < 0) { + gnutls_assert(); + return ret; + } + size += (2 + tmp.size); + } + + res->rdn_sequence.data = gnutls_malloc(size); + if (res->rdn_sequence.data == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + res->rdn_sequence.size = size; + + pdata = res->rdn_sequence.data; + + for (i = 0; i < res->ncas; i++) { + if ((ret = _gnutls_find_dn(&tmp, &res->ca_list[i])) < 0) { + gnutls_free(res->rdn_sequence.data); + res->rdn_sequence.size = 0; + res->rdn_sequence.data = NULL; + gnutls_assert(); + return ret; + } + WRITEdatum16(pdata, tmp); + pdata += (2 + tmp.size); + } + + return 0; +} + +/** * gnutls_x509pki_set_dh_bits - Used to set the bits for a DHE_* ciphersuite * @state: is a &GNUTLS_STATE structure. * @bits: is the number of bits diff --git a/lib/x509_b64.c b/lib/x509_b64.c index ce26b85603..413da8f8d1 100644 --- a/lib/x509_b64.c +++ b/lib/x509_b64.c @@ -330,7 +330,7 @@ inline static int cpydata(uint8 * data, int data_size, uint8 ** result) * The result_size is the return value */ #define ENDSTR "-----\n" -int _gnutls_fbase64_decode( uint8 * data, int data_size, +int _gnutls_fbase64_decode( const uint8 * data, int data_size, uint8 ** result) { int ret; diff --git a/lib/x509_b64.h b/lib/x509_b64.h index 94a546c2f1..34ef20b5c2 100644 --- a/lib/x509_b64.h +++ b/lib/x509_b64.h @@ -1,6 +1,6 @@ int _gnutls_base64_encode(uint8 * data, int data_size, uint8 ** result); -int _gnutls_fbase64_encode(char *msg, uint8 * data, int data_size, +int _gnutls_fbase64_encode(const char *msg, const uint8 * data, int data_size, uint8 ** result); int _gnutls_base64_decode(uint8 * data, int data_size, uint8 ** result); -int _gnutls_fbase64_decode( uint8 * data, int data_size, +int _gnutls_fbase64_decode( const uint8 * data, int data_size, uint8 ** result); |