optimized certificate handling API

author: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2001-12-05 13:41:46 +0000
committer: Nikos Mavrogiannopoulos <nmav@gnutls.org> 2001-12-05 13:41:46 +0000
commit: 3566f540c2ea57ef3fced95b06f6ba52f4f24ab8 (patch)
tree: d47fb1e64c4060ff98543f33fa82d048ba533e7d /lib
parent: 091cea8dbd1e5fbd940d4c863b68d5eb5ff7cab3 (diff)
download: gnutls-3566f540c2ea57ef3fced95b06f6ba52f4f24ab8.tar.gz
4 files changed, 66 insertions, 104 deletions
diff --git a/lib/auth_x509.c b/lib/auth_x509.c
index b29adfb52b..054fc30a91 100644
--- a/lib/auth_x509.c
+++ b/lib/auth_x509.c
@@ -819,7 +819,7 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int
 
 /**
   * gnutls_x509pki_get_peer_dn - This function returns the peer's distinguished name
-  * @state: is a gnutls state
+  * @cert: should contain an X.509 DER encoded certificate
   * @ret: a pointer to a structure to hold the peer's name
   *
   * This function will return the name of the peer. The name is gnutls_DN structure and 
@@ -828,20 +828,13 @@ int _gnutls_find_apr_cert( GNUTLS_STATE state, gnutls_cert** apr_cert_list, int
   * Returns a negative error code in case of an error.
   *
   **/
-int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret)
+int gnutls_x509pki_extract_dn(const gnutls_datum* cert, gnutls_DN * ret)
 {
-	X509PKI_AUTH_INFO info;
 	node_asn *c2;
 	int result;
 
-	CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
-
 	memset( ret, 0, sizeof(gnutls_DN));
 
-	info = _gnutls_get_auth_info(state);
-	if (info == NULL)
-		return GNUTLS_E_INVALID_REQUEST;
-
 	if (asn1_create_structure
 	    (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
 	     "certificate2")
@@ -851,7 +844,7 @@ int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret)
 	}
 
 
-	result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size);
+	result = asn1_get_der(c2, cert->data, cert->size);
 	if (result != ASN_OK) {
 		/* couldn't decode DER */
 #ifdef DEBUG
@@ -876,30 +869,23 @@ int gnutls_x509pki_get_peer_dn(GNUTLS_STATE state, gnutls_DN * ret)
 }
 
 /**
-  * gnutls_x509pki_get_issuer_dn - This function returns the peer's issuer distinguished name
-  * @state: is a gnutls state
+  * gnutls_x509pki_extract_issuer_dn - This function returns the certificate's issuer distinguished name
+  * @cert: should contain an X.509 DER encoded certificate
   * @ret: a pointer to a structure to hold the issuer's name
   *
-  * This function will return the name of the issuer of peer. The name is a gnutls_DN structure and 
+  * This function will return the name of the issuer stated in the certificate. The name is a gnutls_DN structure and 
   * is a obtained by the peer's certificate. If the certificate send by the
   * peer is invalid, or in any other failure this function returns error.
   * Returns a negative error code in case of an error.
   *
   **/
-int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret)
+int gnutls_x509pki_extract_issuer_dn(const gnutls_datum* cert, gnutls_DN * ret)
 {
-	X509PKI_AUTH_INFO info;
 	node_asn *c2;
 	int result;
 
-	CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
-
 	memset( ret, 0, sizeof(gnutls_DN));
 
-	info = _gnutls_get_auth_info(state);
-	if (info == NULL)
-		return GNUTLS_E_INVALID_REQUEST;
-
 	if (asn1_create_structure
 	    (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
 	     "certificate2")
@@ -908,7 +894,7 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret)
 		return GNUTLS_E_ASN1_ERROR;
 	}
 
-	result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size);
+	result = asn1_get_der(c2, cert->data, cert->size);
 	if (result != ASN_OK) {
 		/* couldn't decode DER */
 #ifdef DEBUG
@@ -933,12 +919,14 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret)
 }
 
 /**
-  * gnutls_x509pki_get_subject_dns_name - This function returns the peer's dns name, if any
-  * @state: is a gnutls state
+  * gnutls_x509pki_extract_subject_dns_name - This function returns the peer's dns name, if any
+  * @cert: should contain an X.509 DER encoded certificate
   * @ret: is the place where dns name will be copied to
   * @ret_size: holds the size of ret.
   *
-  * This function will return the peer's alternative name (the dns part of it). 
+  * This function will return the alternative name (the dns part of it), contained in the
+  * given certificate.
+  * 
   * This is specified in X509v3 Certificate Extensions. 
   * GNUTLS will only return the dnsName of the Alternative name, or a negative
   * error code.
@@ -948,23 +936,15 @@ int gnutls_x509pki_get_issuer_dn(GNUTLS_STATE state, gnutls_DN * ret)
   * If the certificate does not have a DNS name then returns GNUTLS_E_DATA_NOT_AVAILABLE;
   *
   **/
-int gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state, char* ret, int *ret_size)
+int gnutls_x509pki_extract_subject_dns_name(const gnutls_datum* cert, char* ret, int *ret_size)
 {
-	X509PKI_AUTH_INFO info;
 	int result;
 	gnutls_datum dnsname;
 
-	CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
-
-	info = _gnutls_get_auth_info(state);
-	if (info == NULL)
-		return GNUTLS_E_INVALID_REQUEST;
-
-
 	memset(ret, 0, *ret_size);
 
 	if ((result =
-	     _gnutls_get_extension( &info->raw_certificate_list[0], "2 5 29 17", &dnsname)) < 0) {
+	     _gnutls_get_extension( cert, "2 5 29 17", &dnsname)) < 0) {
 		return result;
 	}
 
@@ -986,28 +966,20 @@ int gnutls_x509pki_get_subject_dns_name(GNUTLS_STATE state, char* ret, int *ret_
 }
 
 /**
-  * gnutls_x509pki_get_peer_certificate_activation_time - This function returns the peer's certificate activation time
-  * @state: is a gnutls state
+  * gnutls_x509pki_extract_certificate_activation_time - This function returns the peer's certificate activation time
+  * @cert: should contain an X.509 DER encoded certificate
   *
-  * This function will return the peer's certificate activation time in UNIX time 
+  * This function will return the certificate's activation time in UNIX time 
   * (ie seconds since 00:00:00 UTC January 1, 1970).
   * Returns a (time_t) -1 in case of an error.
   *
   **/
-time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE
-							   state)
+time_t gnutls_x509pki_extract_certificate_activation_time(const gnutls_datum * cert)
 {
-	X509PKI_AUTH_INFO info;
 	node_asn *c2;
 	int result;
 	time_t ret;
 
-	CHECK_AUTH(GNUTLS_X509PKI, -1);
-
-	info = _gnutls_get_auth_info(state);
-	if (info == NULL)
-		return -1;
-
 	if (asn1_create_structure
 	    (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
 	     "certificate2")
@@ -1016,7 +988,7 @@ time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE
 		return -1;
 	}
 
-	result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size);
+	result = asn1_get_der(c2, cert->data, cert->size);
 	if (result != ASN_OK) {
 		/* couldn't decode DER */
 #ifdef DEBUG
@@ -1034,28 +1006,20 @@ time_t gnutls_x509pki_get_peer_certificate_activation_time(GNUTLS_STATE
 }
 
 /**
-  * gnutls_x509pki_get_peer_certificate_expiration_time - This function returns the peer's certificate expiration time
-  * @state: is a gnutls state
+  * gnutls_x509pki_extract_certificate_expiration_time - This function returns the certificate's expiration time
+  * @cert: should contain an X.509 DER encoded certificate
   *
-  * This function will return the peer's certificate expiration time in UNIX time 
+  * This function will return the certificate's expiration time in UNIX time 
   * (ie seconds since 00:00:00 UTC January 1, 1970).
   * Returns a (time_t) -1 in case of an error.
   *
   **/
-time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE
-							   state)
+time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum* cert)
 {
-	X509PKI_AUTH_INFO info;
 	node_asn *c2;
 	int result;
 	time_t ret;
 
-	CHECK_AUTH(GNUTLS_X509PKI, -1);
-
-	info = _gnutls_get_auth_info(state);
-	if (info == NULL)
-		return -1;
-
 	if (asn1_create_structure
 	    (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
 	     "certificate2")
@@ -1064,7 +1028,7 @@ time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE
 		return -1;
 	}
 
-	result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size);
+	result = asn1_get_der(c2, cert->data, cert->size);
 	if (result != ASN_OK) {
 		/* couldn't decode DER */
 #ifdef DEBUG
@@ -1082,26 +1046,18 @@ time_t gnutls_x509pki_get_peer_certificate_expiration_time(GNUTLS_STATE
 }
 
 /**
-  * gnutls_x509pki_get_peer_certificate_version - This function returns the peer's certificate version
-  * @state: is a gnutls state
+  * gnutls_x509pki_extract_certificate_version - This function returns the certificate's version
+  * @cert: is an X.509 DER encoded certificate
   *
-  * This function will return the peer's certificate version (1, 2, 3). This is obtained by the X509 Certificate
-  * Version field. If the certificate is invalid then version will be zero.
-  * Returns a negative value in case of an error.
+  * This function will return the X.509 certificate's version (1, 2, 3). This is obtained by the X509 Certificate
+  * Version field. Returns a negative value in case of an error.
   *
   **/
-int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state)
+int gnutls_x509pki_extract_certificate_version( const gnutls_datum* cert)
 {
-	X509PKI_AUTH_INFO info;
 	node_asn *c2;
 	int result;
 
-	CHECK_AUTH(GNUTLS_X509PKI, GNUTLS_E_INVALID_REQUEST);
-
-	info = _gnutls_get_auth_info(state);
-	if (info == NULL)
-		return GNUTLS_E_INVALID_REQUEST;
-
 	if (asn1_create_structure
 	    (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2,
 	     "certificate2")
@@ -1110,7 +1066,7 @@ int gnutls_x509pki_get_peer_certificate_version(GNUTLS_STATE state)
 		return GNUTLS_E_ASN1_ERROR;
 	}
 
-	result = asn1_get_der(c2, info->raw_certificate_list[0].data, info->raw_certificate_list[0].size);
+	result = asn1_get_der(c2, cert->data, cert->size);
 	if (result != ASN_OK) {
 		/* couldn't decode DER */
 #ifdef DEBUG
diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c
index 381194c627..a49ca4b186 100644
--- a/lib/gnutls_record.c
+++ b/lib/gnutls_record.c
@@ -408,7 +408,9 @@ int gnutls_send_alert( GNUTLS_STATE state, AlertLevel level, AlertDescription de
   *
   * Sends an alert to the peer depending on the error code returned by a gnutls
   * function. All alerts sent by this function are fatal, so connection should
-  * be considered terminated after calling this function.
+  * be considered terminated after calling this function. The only exception
+  * is when err == GNUTLS_E_REHANDSHAKE, then a warning alert is sent to
+  * the peer indicating the no renegotiation will be performed.
   *
   * This function may also return GNUTLS_E_AGAIN, or GNUTLS_E_INTERRUPTED.
   *
@@ -441,6 +443,9 @@ int ret = GNUTLS_E_UNIMPLEMENTED_FEATURE;
 		case GNUTLS_E_UNEXPECTED_PACKET:
                         ret = gnutls_send_alert( state, GNUTLS_FATAL, GNUTLS_UNEXPECTED_MESSAGE);
                         break;
+		case GNUTLS_E_REHANDSHAKE:
+                        ret = gnutls_send_alert( state, GNUTLS_WARNING, GNUTLS_NO_RENEGOTIATION);
+                        break;
                                                               
 	}
 	return ret;
diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c
index d1e7f4afa2..a2f4ae0032 100644
--- a/lib/gnutls_ui.c
+++ b/lib/gnutls_ui.c
@@ -105,7 +105,8 @@ int gnutls_anon_client_get_dh_bits(GNUTLS_STATE state)
   * @list_size: is the length of the certificate list
   *
   * This function will return the peer's raw certificate list as sent by the peer.
-  * These certificates are DER encoded. 
+  * These certificates are DER encoded. The first certificate in the list is the peer's certificate,
+  * following the issuer's certificate, then the issuer's issuer etc.
   * Returns NULL in case of an error, or if no certificate was sent.
   *
   **/
diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h
index 0f017729b4..431833288c 100644
--- a/lib/gnutls_ui.h
+++ b/lib/gnutls_ui.h
@@ -36,7 +36,7 @@ typedef struct {
 #define X509KEY_DECIPHER_ONLY		1
 
 
-# ifdef LIBGNUTLS_VERSION /* defined only in gnutls.h */
+# ifdef LIBGNUTLS_VERSION /* These are defined only in gnutls.h */
 
 typedef int x509_cert_callback_func(const gnutls_datum *, int, const gnutls_datum *, int);
 
@@ -59,40 +59,40 @@ int gnutls_anon_client_get_dh_bits( GNUTLS_STATE state);
 int gnutls_set_x509_cert_callback( X509PKI_CREDENTIALS, x509_cert_callback_func *);
 int gnutls_x509pki_set_cert_request( GNUTLS_STATE, CertificateRequest);
 
-int gnutls_x509pki_get_certificate_request_status(  GNUTLS_STATE);
-int gnutls_x509pki_get_peer_dn( GNUTLS_STATE, gnutls_DN*);
+/* X.509 certificate handling functions */
+int gnutls_x509pki_extract_dn( const gnutls_datum*, gnutls_DN*);
+int gnutls_x509pki_extract_issuer_dn(  const gnutls_datum*, gnutls_DN *);
+int gnutls_x509pki_extract_certificate_version( const gnutls_datum*);
+time_t gnutls_x509pki_extract_certificate_activation_time( const gnutls_datum*);
+time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum*);
+int gnutls_x509pki_extract_subject_dns_name( const gnutls_datum*, char*, int*);
+
+/* get data from the state */
 const gnutls_datum* gnutls_x509pki_get_peer_certificate_list( GNUTLS_STATE, int* list_size);
-int gnutls_x509pki_get_issuer_dn(  GNUTLS_STATE, gnutls_DN *);
-int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE);
-int gnutls_x509pki_get_peer_certificate_version( GNUTLS_STATE);
-time_t gnutls_x509pki_get_peer_certificate_activation_time( GNUTLS_STATE);
-time_t gnutls_x509pki_get_peer_certificate_expiration_time( GNUTLS_STATE);
-unsigned char gnutls_x509pki_get_key_usage( GNUTLS_STATE);
-int gnutls_x509pki_get_subject_dns_name( GNUTLS_STATE, char*, int*);
 int gnutls_x509pki_get_dh_bits( GNUTLS_STATE);
+int gnutls_x509pki_get_certificate_request_status(  GNUTLS_STATE);
+int gnutls_x509pki_get_peer_certificate_status( GNUTLS_STATE);
 
 #define gnutls_x509pki_server_get_dh_bits gnutls_x509pki_get_dh_bits
 #define gnutls_x509pki_client_get_dh_bits gnutls_x509pki_get_dh_bits
 
-#define gnutls_x509pki_server_get_peer_dn gnutls_x509pki_get_peer_dn
-#define gnutls_x509pki_server_get_issuer_dn gnutls_x509pki_get_issuer_dn
+#define gnutls_x509pki_server_extract_dn gnutls_x509pki_extract_dn
+#define gnutls_x509pki_server_extract_issuer_dn gnutls_x509pki_extract_issuer_dn
 #define gnutls_x509pki_server_get_peer_certificate_status gnutls_x509pki_get_peer_certificate_status
-#define gnutls_x509pki_server_get_peer_certificate gnutls_x509pki_get_peer_certificate
-#define gnutls_x509pki_server_get_peer_certificate_version gnutls_x509pki_get_peer_certificate_version
-#define gnutls_x509pki_server_get_peer_certificate_activation_time gnutls_x509pki_get_peer_certificate_activation_time
-#define gnutls_x509pki_server_get_peer_certificate_expiration_time gnutls_x509pki_get_peer_certificate_expiration_time
-#define gnutls_x509pki_server_get_key_usage gnutls_x509pki_get_key_usage
-#define gnutls_x509pki_server_get_subject_dns_name gnutls_x509pki_get_subject_dns_name
-
-#define gnutls_x509pki_client_get_peer_dn gnutls_x509pki_get_peer_dn
-#define gnutls_x509pki_client_get_issuer_dn gnutls_x509pki_get_issuer_dn
+#define gnutls_x509pki_server_get_peer_certificate_list gnutls_x509pki_get_peer_certificate_list
+#define gnutls_x509pki_server_extract_certificate_version gnutls_x509pki_extract_certificate_version
+#define gnutls_x509pki_server_extract_certificate_activation_time gnutls_x509pki_extract_certificate_activation_time
+#define gnutls_x509pki_server_extract_certificate_expiration_time gnutls_x509pki_extract_certificate_expiration_time
+#define gnutls_x509pki_server_extract_subject_dns_name gnutls_x509pki_extract_subject_dns_name
+
+#define gnutls_x509pki_client_extract_dn gnutls_x509pki_extract_dn
+#define gnutls_x509pki_client_extract_issuer_dn gnutls_x509pki_extract_issuer_dn
 #define gnutls_x509pki_client_get_peer_certificate_status gnutls_x509pki_get_peer_certificate_status
-#define gnutls_x509pki_client_get_peer_certificate gnutls_x509pki_get_peer_certificate
-#define gnutls_x509pki_client_get_peer_certificate_version gnutls_x509pki_get_peer_certificate_version
-#define gnutls_x509pki_client_get_peer_certificate_activation_time gnutls_x509pki_get_peer_certificate_activation_time
-#define gnutls_x509pki_client_get_peer_certificate_expiration_time gnutls_x509pki_get_peer_certificate_expiration_time
-#define gnutls_x509pki_client_get_key_usage gnutls_x509pki_get_key_usage
-#define gnutls_x509pki_client_get_subject_dns_name gnutls_x509pki_get_subject_dns_name
+#define gnutls_x509pki_client_get_peer_certificate_list gnutls_x509pki_get_peer_certificate_list
+#define gnutls_x509pki_client_extract_certificate_version gnutls_x509pki_extract_certificate_version
+#define gnutls_x509pki_client_extract_certificate_activation_time gnutls_x509pki_extract_certificate_activation_time
+#define gnutls_x509pki_client_extract_certificate_expiration_time gnutls_x509pki_extract_certificate_expiration_time
+#define gnutls_x509pki_client_extract_subject_dns_name gnutls_x509pki_extract_subject_dns_name
 
 # endif /* LIBGNUTLS_VERSION */
author	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2001-12-05 13:41:46 +0000
committer	Nikos Mavrogiannopoulos <nmav@gnutls.org>	2001-12-05 13:41:46 +0000
commit	3566f540c2ea57ef3fced95b06f6ba52f4f24ab8 (patch)
tree	d47fb1e64c4060ff98543f33fa82d048ba533e7d /lib
parent	091cea8dbd1e5fbd940d4c863b68d5eb5ff7cab3 (diff)
download	gnutls-3566f540c2ea57ef3fced95b06f6ba52f4f24ab8.tar.gz