diff options
107 files changed, 1111 insertions, 843 deletions
@@ -1,3 +1,7 @@ +/* + * The copyright holder for Gnutls is Free Software Foundation, + * Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + */ N: Nikos Mavroyanopoulos A: nmav @@ -1,3 +1,6 @@ +Version 1.1.2 +- Added CRL verification functionality to certtool. + Version 1.1.1 (26/12/2003) - Added PKCS #7 support to certtool utility. - Added support for reading and generating CRL distribution diff --git a/configure.in b/configure.in index dd5c286b9d..32dbd3fcec 100644 --- a/configure.in +++ b/configure.in @@ -12,7 +12,7 @@ AC_DEFINE_UNQUOTED(T_OS, "$target_os", [OS name]) dnl Gnutls Version GNUTLS_MAJOR_VERSION=1 GNUTLS_MINOR_VERSION=1 -GNUTLS_MICRO_VERSION=1 +GNUTLS_MICRO_VERSION=2 GNUTLS_VERSION=$GNUTLS_MAJOR_VERSION.$GNUTLS_MINOR_VERSION.$GNUTLS_MICRO_VERSION AC_DEFINE_UNQUOTED(GNUTLS_VERSION, "$GNUTLS_VERSION", [version of gnutls]) diff --git a/doc/tex/cover.tex.in b/doc/tex/cover.tex.in index 48207ae20b..f82e494d02 100644 --- a/doc/tex/cover.tex.in +++ b/doc/tex/cover.tex.in @@ -54,6 +54,7 @@ Applies to GnuTLS @VERSION@ \begin{center} \par Copyright \copyright\ 2001,2002,2003 Nikos Mavroyanopoulos\\ +Copyright \copyright\ 2004 Free Software Foundation\\ \setlength{\parskip}{4mm} \par Permission is granted to copy, distribute and/or modify this document diff --git a/includes/Makefile.am b/includes/Makefile.am index 7b9ff9133d..cb35de5471 100644 --- a/includes/Makefile.am +++ b/includes/Makefile.am @@ -1,7 +1,7 @@ ## Process this file with automake to produce Makefile.in nobase_include_HEADERS = gnutls/extra.h gnutls/gnutls.h $(OPENSSL_H) \ - gnutls/x509.h gnutls/compat8.h gnutls/pkcs12.h \ + gnutls/x509.h gnutls/pkcs12.h \ gnutls/openpgp.h if ENABLE_OPENSSL diff --git a/includes/gnutls/Makefile.am b/includes/gnutls/Makefile.am index e65e63205a..484ff83428 100644 --- a/includes/gnutls/Makefile.am +++ b/includes/gnutls/Makefile.am @@ -1 +1 @@ -EXTRA_DIST = extra.h openssl.h gnutls.h x509.h compat8.h pkcs12.h openpgp.h +EXTRA_DIST = extra.h openssl.h gnutls.h x509.h pkcs12.h openpgp.h diff --git a/includes/gnutls/openssl.h b/includes/gnutls/openssl.h index eb4667af9c..07d2e510c3 100644 --- a/includes/gnutls/openssl.h +++ b/includes/gnutls/openssl.h @@ -36,6 +36,27 @@ extern "C" { #include <gnutls/gnutls.h> #include <gcrypt.h> +/* Extra definitions that do not longer exist in gnutls. + */ +#define GNUTLS_X509_CN_SIZE 256 +#define GNUTLS_X509_C_SIZE 3 +#define GNUTLS_X509_O_SIZE 256 +#define GNUTLS_X509_OU_SIZE 256 +#define GNUTLS_X509_L_SIZE 256 +#define GNUTLS_X509_S_SIZE 256 +#define GNUTLS_X509_EMAIL_SIZE 256 + +typedef struct { + char common_name[GNUTLS_X509_CN_SIZE]; + char country[GNUTLS_X509_C_SIZE]; + char organization[GNUTLS_X509_O_SIZE]; + char organizational_unit_name[GNUTLS_X509_OU_SIZE]; + char locality_name[GNUTLS_X509_L_SIZE]; + char state_or_province_name[GNUTLS_X509_S_SIZE]; + char email[GNUTLS_X509_EMAIL_SIZE]; +} gnutls_x509_dn; + + #define OPENSSL_VERSION_NUMBER (0x0090604F) #define SSLEAY_VERSION_NUMBER OPENSSL_VERSION_NUMBER #define OPENSSL_VERSION_TEXT ("GNUTLS " LIBGNUTLS_VERSION " ") diff --git a/lib/auth_anon.c b/lib/auth_anon.c index 465dbdfb63..a49df2092c 100644 --- a/lib/auth_anon.c +++ b/lib/auth_anon.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/auth_cert.c b/lib/auth_cert.c index e76ece4bfc..d069ac6685 100644 --- a/lib/auth_cert.c +++ b/lib/auth_cert.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/auth_dh_common.c b/lib/auth_dh_common.c index 287c5c4191..7ae1ea1703 100644 --- a/lib/auth_dh_common.c +++ b/lib/auth_dh_common.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/auth_dhe.c b/lib/auth_dhe.c index 9b8be03b8e..79f499156f 100644 --- a/lib/auth_dhe.c +++ b/lib/auth_dhe.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/auth_rsa.c b/lib/auth_rsa.c index e5927e6925..5931460274 100644 --- a/lib/auth_rsa.c +++ b/lib/auth_rsa.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/auth_rsa_export.c b/lib/auth_rsa_export.c index bd168d0a9a..340c7e5aa3 100644 --- a/lib/auth_rsa_export.c +++ b/lib/auth_rsa_export.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/debug.c b/lib/debug.c index cc3c9f72ab..d944fe6b3b 100644 --- a/lib/debug.c +++ b/lib/debug.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2000,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2000,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/ext_cert_type.c b/lib/ext_cert_type.c index 7375646124..ba2998ff00 100644 --- a/lib/ext_cert_type.c +++ b/lib/ext_cert_type.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/ext_max_record.c b/lib/ext_max_record.c index 59e31590f8..c0ccff7f58 100644 --- a/lib/ext_max_record.c +++ b/lib/ext_max_record.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2001 Nikos Mavroyanopoulos + * Copyright (C) 2001 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/ext_server_name.c b/lib/ext_server_name.c index 2b5c4d3ddc..da278969eb 100644 --- a/lib/ext_server_name.c +++ b/lib/ext_server_name.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_alert.c b/lib/gnutls_alert.c index d8dc35c9a4..462bb795b6 100644 --- a/lib/gnutls_alert.c +++ b/lib/gnutls_alert.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_algorithms.c b/lib/gnutls_algorithms.c index a713060bdf..13e7e14c97 100644 --- a/lib/gnutls_algorithms.c +++ b/lib/gnutls_algorithms.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_anon_cred.c b/lib/gnutls_anon_cred.c index 578aef62af..42b61bdf74 100644 --- a/lib/gnutls_anon_cred.c +++ b/lib/gnutls_anon_cred.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_auth.c b/lib/gnutls_auth.c index 2c5bef6f9a..deaed91266 100644 --- a/lib/gnutls_auth.c +++ b/lib/gnutls_auth.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_buffers.c b/lib/gnutls_buffers.c index 2b80b9ad5b..02d22370c0 100644 --- a/lib/gnutls_buffers.c +++ b/lib/gnutls_buffers.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 8366a5c392..13eb2180ec 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c index cca6a8fed4..b0ca7a2311 100644 --- a/lib/gnutls_cipher.c +++ b/lib/gnutls_cipher.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_cipher_int.c b/lib/gnutls_cipher_int.c index 05267fff1b..c0b97f2408 100644 --- a/lib/gnutls_cipher_int.c +++ b/lib/gnutls_cipher_int.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_compress.c b/lib/gnutls_compress.c index 0cf65e041e..06d5ccdef9 100644 --- a/lib/gnutls_compress.c +++ b/lib/gnutls_compress.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_compress_int.c b/lib/gnutls_compress_int.c index b246a72a0a..3bd2b0d5d3 100644 --- a/lib/gnutls_compress_int.c +++ b/lib/gnutls_compress_int.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_constate.c b/lib/gnutls_constate.c index 53962844d8..fca9088d5b 100644 --- a/lib/gnutls_constate.c +++ b/lib/gnutls_constate.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_datum.c b/lib/gnutls_datum.c index b871ad09f1..007404a8ae 100644 --- a/lib/gnutls_datum.c +++ b/lib/gnutls_datum.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_db.c b/lib/gnutls_db.c index 4cb0b20394..f54f1307d1 100644 --- a/lib/gnutls_db.c +++ b/lib/gnutls_db.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_dh.c b/lib/gnutls_dh.c index 65617a3e98..5d749066b2 100644 --- a/lib/gnutls_dh.c +++ b/lib/gnutls_dh.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * someday was part of gsti diff --git a/lib/gnutls_dh_primes.c b/lib/gnutls_dh_primes.c index d0f22310af..31a786f189 100644 --- a/lib/gnutls_dh_primes.c +++ b/lib/gnutls_dh_primes.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_errors.c b/lib/gnutls_errors.c index 0ea3581416..ca386ae735 100644 --- a/lib/gnutls_errors.c +++ b/lib/gnutls_errors.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_extensions.c b/lib/gnutls_extensions.c index 179f09cdf7..d13e89cd86 100644 --- a/lib/gnutls_extensions.c +++ b/lib/gnutls_extensions.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_global.c b/lib/gnutls_global.c index df5327877a..c89fd3332e 100644 --- a/lib/gnutls_global.c +++ b/lib/gnutls_global.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_handshake.c b/lib/gnutls_handshake.c index 4abb19deb9..2a3026354f 100644 --- a/lib/gnutls_handshake.c +++ b/lib/gnutls_handshake.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_hash_int.c b/lib/gnutls_hash_int.c index 1746f963dc..b7dd519c16 100644 --- a/lib/gnutls_hash_int.c +++ b/lib/gnutls_hash_int.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_kx.c b/lib/gnutls_kx.c index 6d83c2ad78..dbb28b10d2 100644 --- a/lib/gnutls_kx.c +++ b/lib/gnutls_kx.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_mem.c b/lib/gnutls_mem.c index dc21b196e1..0762c6f1ae 100644 --- a/lib/gnutls_mem.c +++ b/lib/gnutls_mem.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_mpi.c b/lib/gnutls_mpi.c index 8dede95446..0f115578c6 100644 --- a/lib/gnutls_mpi.c +++ b/lib/gnutls_mpi.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_num.c b/lib/gnutls_num.c index b0856ca7ad..8d9ed1c8c4 100644 --- a/lib/gnutls_num.c +++ b/lib/gnutls_num.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_pk.c b/lib/gnutls_pk.c index c6d5db7be1..5a2d1e888d 100644 --- a/lib/gnutls_pk.c +++ b/lib/gnutls_pk.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c index ad898bc53d..3a6a6d9907 100644 --- a/lib/gnutls_priority.c +++ b/lib/gnutls_priority.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_random.c b/lib/gnutls_random.c index 849ac3cb91..7500910cfa 100644 --- a/lib/gnutls_random.c +++ b/lib/gnutls_random.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_record.c b/lib/gnutls_record.c index 832cffdbda..ccb6ae99d0 100644 --- a/lib/gnutls_record.c +++ b/lib/gnutls_record.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_rsa_export.c b/lib/gnutls_rsa_export.c index 113867bd32..05e82535ef 100644 --- a/lib/gnutls_rsa_export.c +++ b/lib/gnutls_rsa_export.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_session.c b/lib/gnutls_session.c index 2c44748431..ca043c5b21 100644 --- a/lib/gnutls_session.c +++ b/lib/gnutls_session.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2000 Nikos Mavroyanopoulos + * Copyright (C) 2000,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_session_pack.c b/lib/gnutls_session_pack.c index 1a108d347d..f3b387d65f 100644 --- a/lib/gnutls_session_pack.c +++ b/lib/gnutls_session_pack.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_sig.c b/lib/gnutls_sig.c index 87a541d473..bdcc35d135 100644 --- a/lib/gnutls_sig.c +++ b/lib/gnutls_sig.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c index 711a2fdd31..aa06c0fbe4 100644 --- a/lib/gnutls_state.c +++ b/lib/gnutls_state.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_str.c b/lib/gnutls_str.c index 9a3918cb7a..50e7486e53 100644 --- a/lib/gnutls_str.c +++ b/lib/gnutls_str.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2002 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index bf157596db..f29eab87d8 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_v2_compat.c b/lib/gnutls_v2_compat.c index 0676b2dc1b..9db6516b2c 100644 --- a/lib/gnutls_v2_compat.c +++ b/lib/gnutls_v2_compat.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index e6f0093d16..cf2aee981d 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/strnstr.c b/lib/strnstr.c index 57aed55fb0..7eaa9d0dac 100644 --- a/lib/strnstr.c +++ b/lib/strnstr.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/common.c b/lib/x509/common.c index 003857a716..ebbdd11a24 100644 --- a/lib/x509/common.c +++ b/lib/x509/common.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/compat.c b/lib/x509/compat.c index 77c21d4da4..ac9e33c901 100644 --- a/lib/x509/compat.c +++ b/lib/x509/compat.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * @@ -33,264 +34,6 @@ #include <gnutls/compat8.h> /** - * gnutls_x509_extract_dn - This function parses an RDN sequence - * @idn: should contain a DER encoded RDN sequence - * @rdn: a pointer to a structure to hold the name - * - * This function will return the name of the given RDN sequence. - * The name will be returned as a gnutls_x509_dn structure. - * Returns a negative error code in case of an error. - * - **/ -int gnutls_x509_extract_dn(const gnutls_datum * idn, gnutls_x509_dn * rdn) -{ - ASN1_TYPE dn = ASN1_TYPE_EMPTY; - int result; - size_t len; - - if ((result = - asn1_create_element(_gnutls_get_pkix(), - "PKIX1.Name", &dn - )) != ASN1_SUCCESS) { - return _gnutls_asn2err(result); - } - - result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); - if (result != ASN1_SUCCESS) { - /* couldn't decode DER */ - asn1_delete_structure(&dn); - return _gnutls_asn2err(result); - } - - memset( rdn, 0, sizeof(gnutls_x509_dn)); - - len = sizeof(rdn->country); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, rdn->country, &len); - - len = sizeof(rdn->organization); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, rdn->organization, &len); - - len = sizeof(rdn->organizational_unit_name); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, rdn->organizational_unit_name, &len); - - len = sizeof(rdn->common_name); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_COMMON_NAME, 0, 0, rdn->common_name, &len); - - len = sizeof(rdn->locality_name); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, rdn->locality_name, &len); - - len = sizeof(rdn->state_or_province_name); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, rdn->state_or_province_name, &len); - - len = sizeof(rdn->email); - _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_PKCS9_EMAIL, 0, 0, rdn->email, &len); - - asn1_delete_structure(&dn); - - return 0; -} - -/** - * gnutls_x509_extract_certificate_dn - This function returns the certificate's distinguished name - * @cert: should contain an X.509 DER encoded certificate - * @ret: a pointer to a structure to hold the peer's name - * - * This function will return the name of the certificate holder. The name is gnutls_x509_dn structure and - * is a obtained by the peer's certificate. If the certificate send by the - * peer is invalid, or in any other failure this function returns error. - * Returns a negative error code in case of an error. - * - **/ -int gnutls_x509_extract_certificate_dn(const gnutls_datum * cert, - gnutls_x509_dn * ret) -{ - gnutls_x509_crt xcert; - int result; - size_t len; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - len = sizeof( ret->country); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, - ret->country, &len); - - len = sizeof( ret->organization); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, - ret->organization, &len); - - len = sizeof( ret->organizational_unit_name); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, - ret->organizational_unit_name, &len); - - len = sizeof( ret->common_name); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, - ret->common_name, &len); - - len = sizeof( ret->locality_name); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, - ret->locality_name, &len); - - len = sizeof( ret->state_or_province_name); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, - ret->state_or_province_name, &len); - - len = sizeof( ret->email); - gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, - ret->email, &len); - - gnutls_x509_crt_deinit( xcert); - - return 0; -} - -/** - * gnutls_x509_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name - * @cert: should contain an X.509 DER encoded certificate - * @ret: a pointer to a structure to hold the issuer's name - * - * This function will return the name of the issuer stated in the certificate. The name is a gnutls_x509_dn structure and - * is a obtained by the peer's certificate. If the certificate send by the - * peer is invalid, or in any other failure this function returns error. - * Returns a negative error code in case of an error. - * - **/ -int gnutls_x509_extract_certificate_issuer_dn(const gnutls_datum * cert, - gnutls_x509_dn * ret) -{ - gnutls_x509_crt xcert; - int result; - size_t len; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - len = sizeof( ret->country); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, - ret->country, &len); - - len = sizeof( ret->organization); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, - ret->organization, &len); - - len = sizeof( ret->organizational_unit_name); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, - ret->organizational_unit_name, &len); - - len = sizeof( ret->common_name); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, - ret->common_name, &len); - - len = sizeof( ret->locality_name); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, - ret->locality_name, &len); - - len = sizeof( ret->state_or_province_name); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, - ret->state_or_province_name, &len); - - len = sizeof( ret->email); - gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, - ret->email, &len); - - gnutls_x509_crt_deinit( xcert); - - return 0; -} - - -/** - * gnutls_x509_extract_certificate_subject_alt_name - This function returns the certificate's alternative name, if any - * @cert: should contain an X.509 DER encoded certificate - * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.) - * @ret: is the place where the alternative name will be copied to - * @ret_size: holds the size of ret. - * - * This function will return the alternative names, contained in the - * given certificate. - * - * This is specified in X509v3 Certificate Extensions. - * GNUTLS will return the Alternative name, or a negative - * error code. - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not enough to hold the alternative - * name, or the type of alternative name if everything was ok. The type is - * one of the enumerated GNUTLS_X509_SUBJECT_ALT_NAME. - * - * If the certificate does not have an Alternative name with the specified - * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; - * - **/ -int gnutls_x509_extract_certificate_subject_alt_name(const gnutls_datum * cert, int seq, char *ret, int *ret_size) -{ - gnutls_x509_crt xcert; - int result; - size_t size = *ret_size; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_subject_alt_name( xcert, seq, ret, &size, NULL); - *ret_size = size; - - gnutls_x509_crt_deinit( xcert); - - return result; -} - -/** - * gnutls_x509_extract_certificate_ca_status - This function returns the certificate CA status - * @cert: should contain an X.509 DER encoded certificate - * - * This function will return certificates CA status, by reading the - * basicConstraints X.509 extension. If the certificate is a CA a positive - * value will be returned, or zero if the certificate does not have - * CA flag set. - * - * A negative value may be returned in case of parsing error. - * If the certificate does not contain the basicConstraints extension - * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. - * - **/ -int gnutls_x509_extract_certificate_ca_status(const gnutls_datum * cert) -{ - gnutls_x509_crt xcert; - int result; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_ca_status( xcert, NULL); - - gnutls_x509_crt_deinit( xcert); - - return result; -} - -/** * gnutls_x509_extract_certificate_activation_time - This function returns the peer's certificate activation time * @cert: should contain an X.509 DER encoded certificate * @@ -354,442 +97,3 @@ time_t gnutls_x509_extract_certificate_expiration_time(const return result; } -/** - * gnutls_x509_extract_certificate_version - This function returns the certificate's version - * @cert: is an X.509 DER encoded certificate - * - * This function will return the X.509 certificate's version (1, 2, 3). This is obtained by the X509 Certificate - * Version field. Returns a negative value in case of an error. - * - **/ -int gnutls_x509_extract_certificate_version(const gnutls_datum * cert) -{ - gnutls_x509_crt xcert; - int result; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_version( xcert); - - gnutls_x509_crt_deinit( xcert); - - return result; - -} - -/** - * gnutls_x509_extract_certificate_serial - This function returns the certificate's serial number - * @cert: is an X.509 DER encoded certificate - * @result: The place where the serial number will be copied - * @result_size: Holds the size of the result field. - * - * This function will return the X.509 certificate's serial number. - * This is obtained by the X509 Certificate serialNumber - * field. Serial is not always a 32 or 64bit number. Some CAs use - * large serial numbers, thus it may be wise to handle it as something - * opaque. - * Returns a negative value in case of an error. - * - **/ -int gnutls_x509_extract_certificate_serial(const gnutls_datum * cert, char* result, int* result_size) -{ - gnutls_x509_crt xcert; - size_t size = *result_size; - int ret; - - ret = gnutls_x509_crt_init( &xcert); - if (ret < 0) return ret; - - ret = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_x509_crt_deinit( xcert); - return ret; - } - - ret = gnutls_x509_crt_get_serial( xcert, result, &size); - *result_size = size; - - gnutls_x509_crt_deinit( xcert); - - return ret; -} - - -/** - * gnutls_x509_extract_certificate_pk_algorithm - This function returns the certificate's PublicKey algorithm - * @cert: is a DER encoded X.509 certificate - * @bits: if bits is non null it will hold the size of the parameters' in bits - * - * This function will return the public key algorithm of an X.509 - * certificate. - * - * If bits is non null, it should have enough size to hold the parameters - * size in bits. For RSA the bits returned is the modulus. - * For DSA the bits returned are of the public - * exponent. - * - * Returns a member of the gnutls_pk_algorithm enumeration on success, - * or a negative value on error. - * - **/ -int gnutls_x509_extract_certificate_pk_algorithm( const gnutls_datum * cert, int* bits) -{ - gnutls_x509_crt xcert; - int result; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - result = gnutls_x509_crt_get_pk_algorithm( xcert, bits); - - gnutls_x509_crt_deinit( xcert); - - return result; -} - - -/** - * gnutls_x509_extract_certificate_dn_string - This function returns the certificate's distinguished name - * @cert: should contain an X.509 DER encoded certificate - * @buf: a pointer to a structure to hold the peer's name - * @sizeof_buf: holds the size of 'buf' - * @issuer: if non zero, then extract the name of the issuer, instead of the holder - * - * This function will copy the name of the certificate holder in the provided buffer. The name - * will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. - * - * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, - * and 0 on success. - * - **/ -int gnutls_x509_extract_certificate_dn_string(char *buf, unsigned int sizeof_buf, - const gnutls_datum * cert, int issuer) -{ - gnutls_x509_crt xcert; - int result; - - result = gnutls_x509_crt_init( &xcert); - if (result < 0) return result; - - result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_x509_crt_deinit( xcert); - return result; - } - - if (!issuer) - result = gnutls_x509_crt_get_dn( xcert, buf, &sizeof_buf); - else - result = gnutls_x509_crt_get_issuer_dn( xcert, buf, &sizeof_buf); - - gnutls_x509_crt_deinit( xcert); - - return result; -} - -/** - * gnutls_x509_verify_certificate - This function verifies given certificate list - * @cert_list: is the certificate list to be verified - * @cert_list_length: holds the number of certificate in cert_list - * @CA_list: is the CA list which will be used in verification - * @CA_list_length: holds the number of CA certificate in CA_list - * @CRL_list: not used - * @CRL_list_length: not used - * - * This function will try to verify the given certificate list and return its status (TRUSTED, EXPIRED etc.). - * The return value (status) should be one or more of the gnutls_certificate_status - * enumerated elements bitwise or'd. Note that expiration and activation dates are not checked - * by this function, you should check them using the appropriate functions. - * - * This function understands the basicConstraints (2.5.29.19) PKIX extension. - * This means that only a certificate authority can sign a certificate. - * - * However you must also check the peer's name in order to check if the verified certificate belongs to the - * actual peer. - * - * The return value (status) should be one or more of the gnutls_certificate_status - * enumerated elements bitwise or'd. - * - * GNUTLS_CERT_INVALID\: the peer's certificate is not valid. - * - * GNUTLS_CERT_REVOKED\: the certificate has been revoked. - * - * A negative error code is returned in case of an error. - * GNUTLS_E_NO_CERTIFICATE_FOUND is returned to indicate that - * no certificate was sent by the peer. - * - * - **/ -int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, - const gnutls_datum * CA_list, int CA_list_length, - const gnutls_datum* CRL_list, int CRL_list_length) -{ - unsigned int verify; - gnutls_x509_crt *peer_certificate_list = NULL; - gnutls_x509_crt *ca_certificate_list = NULL; - gnutls_x509_crl *crl_list = NULL; - int peer_certificate_list_size=0, i, x, ret; - int ca_certificate_list_size=0, crl_list_size=0; - - if (cert_list == NULL || cert_list_length == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; - - /* generate a list of gnutls_certs based on the auth info - * raw certs. - */ - peer_certificate_list_size = cert_list_length; - peer_certificate_list = - gnutls_calloc(1, - peer_certificate_list_size * - sizeof(gnutls_x509_crt)); - if (peer_certificate_list == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - ca_certificate_list_size = CA_list_length; - ca_certificate_list = - gnutls_calloc(1, - ca_certificate_list_size * - sizeof(gnutls_x509_crt)); - if (ca_certificate_list == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - /* allocate memory for CRL - */ - crl_list_size = CRL_list_length; - crl_list = - gnutls_calloc(1, - crl_list_size * - sizeof(gnutls_x509_crl)); - if (crl_list == NULL) { - gnutls_assert(); - ret = GNUTLS_E_MEMORY_ERROR; - goto cleanup; - } - - /* convert certA_list to gnutls_cert* list - */ - for (i = 0; i < peer_certificate_list_size; i++) { - ret = gnutls_x509_crt_init( &peer_certificate_list[i]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = - gnutls_x509_crt_import(peer_certificate_list[i], - &cert_list[i], GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - } - - /* convert CA_list to gnutls_x509_cert* list - */ - for (i = 0; i < ca_certificate_list_size; i++) { - ret = gnutls_x509_crt_init(&ca_certificate_list[i]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = - gnutls_x509_crt_import(ca_certificate_list[i], - &CA_list[i], GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - } - -#ifdef ENABLE_PKI - /* convert CRL_list to gnutls_x509_crl* list - */ - for (i = 0; i < crl_list_size; i++) { - ret = gnutls_x509_crl_init( &crl_list[i]); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = - gnutls_x509_crl_import(crl_list[i], - &CRL_list[i], GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - } -#endif - - /* Verify certificate - */ - ret = - gnutls_x509_crt_list_verify(peer_certificate_list, - peer_certificate_list_size, - ca_certificate_list, ca_certificate_list_size, - crl_list, crl_list_size, 0, &verify); - - if (ret < 0) { - gnutls_assert(); - goto cleanup; - } - - ret = verify; - - cleanup: - - if (peer_certificate_list != NULL) - for(x=0;x<peer_certificate_list_size;x++) { - if (peer_certificate_list[x] != NULL) - gnutls_x509_crt_deinit(peer_certificate_list[x]); - } - - if (ca_certificate_list != NULL) - for(x=0;x<ca_certificate_list_size;x++) { - if (ca_certificate_list[x] != NULL) - gnutls_x509_crt_deinit(ca_certificate_list[x]); - } - -#ifdef ENABLE_PKI - if (crl_list != NULL) - for(x=0;x<crl_list_size;x++) { - if (crl_list[x] != NULL) - gnutls_x509_crl_deinit(crl_list[x]); - } - - gnutls_free( crl_list); -#endif - - gnutls_free( ca_certificate_list); - gnutls_free( peer_certificate_list); - - return ret; -} - -/** - * gnutls_x509_extract_key_pk_algorithm - This function returns the keys's PublicKey algorithm - * @cert: is a DER encoded private key - * - * This function will return the public key algorithm of a DER encoded private - * key. - * - * Returns a member of the gnutls_pk_algorithm enumeration on success, - * or GNUTLS_E_UNKNOWN_PK_ALGORITHM on error. - * - **/ -int gnutls_x509_extract_key_pk_algorithm( const gnutls_datum * key) -{ - gnutls_x509_privkey pkey; - int ret, pk; - - ret = gnutls_x509_privkey_init( &pkey); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - ret = gnutls_x509_privkey_import( pkey, key, GNUTLS_X509_FMT_DER); - if (ret < 0) { - gnutls_assert(); - return ret; - } - - pk = gnutls_x509_privkey_get_pk_algorithm( pkey); - - gnutls_x509_privkey_deinit( pkey); - return pk; -} - -#ifdef ENABLE_PKI - -/** - * gnutls_x509_pkcs7_extract_certificate - This function returns a certificate in a PKCS7 certificate set - * @pkcs7_struct: should contain a PKCS7 DER formatted structure - * @indx: contains the index of the certificate to extract - * @certificate: the contents of the certificate will be copied there - * @certificate_size: should hold the size of the certificate - * - * This function will return a certificate of the PKCS7 or RFC2630 certificate set. - * Returns 0 on success. If the provided buffer is not long enough, - * then GNUTLS_E_SHORT_MEMORY_BUFFER is returned. - * - * After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE - * will be returned. - * - **/ -int gnutls_x509_pkcs7_extract_certificate(const gnutls_datum * pkcs7_struct, int indx, char* certificate, int* certificate_size) -{ - gnutls_pkcs7 pkcs7; - int result; - size_t size = *certificate_size; - - result = gnutls_pkcs7_init( &pkcs7); - if (result < 0) return result; - - result = gnutls_pkcs7_import( pkcs7, pkcs7_struct, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_pkcs7_deinit( pkcs7); - return result; - } - - result = gnutls_pkcs7_get_crt_raw( pkcs7, indx, certificate, &size); - *certificate_size = size; - - gnutls_pkcs7_deinit( pkcs7); - - return result; -} - - -/** - * gnutls_x509_pkcs7_extract_certificate_count - This function returns the number of certificates in a PKCS7 certificate set - * @pkcs7_struct: should contain a PKCS7 DER formatted structure - * - * This function will return the number of certifcates in the PKCS7 or - * RFC2630 certificate set. - * - * Returns a negative value on failure. - * - **/ -int gnutls_x509_pkcs7_extract_certificate_count(const gnutls_datum * pkcs7_struct) -{ - gnutls_pkcs7 pkcs7; - int result; - - result = gnutls_pkcs7_init( &pkcs7); - if (result < 0) return result; - - result = gnutls_pkcs7_import( pkcs7, pkcs7_struct, GNUTLS_X509_FMT_DER); - if (result < 0) { - gnutls_pkcs7_deinit( pkcs7); - return result; - } - - result = gnutls_pkcs7_get_crt_count( pkcs7); - - gnutls_pkcs7_deinit( pkcs7); - - return result; -} - -#endif diff --git a/lib/x509/compat.h b/lib/x509/compat.h index 7e60f131db..834c41caa9 100644 --- a/lib/x509/compat.h +++ b/lib/x509/compat.h @@ -2,9 +2,3 @@ time_t gnutls_x509_extract_certificate_activation_time( const gnutls_datum*); time_t gnutls_x509_extract_certificate_expiration_time( const gnutls_datum*); - -int gnutls_x509_extract_certificate_subject_alt_name( const gnutls_datum*, int seq, char*, int*); -int gnutls_x509_extract_certificate_dn( const gnutls_datum*, gnutls_x509_dn*); - -int gnutls_x509_pkcs7_extract_certificate(const gnutls_datum * pkcs7_struct, int indx, char* certificate, int* certificate_size); -int gnutls_x509_pkcs7_extract_certificate_count(const gnutls_datum * pkcs7_struct); diff --git a/lib/x509/crl.c b/lib/x509/crl.c index be4edc4a1d..89f2738340 100644 --- a/lib/x509/crl.c +++ b/lib/x509/crl.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/crq.c b/lib/x509/crq.c index 8ed79f331a..453c31f966 100644 --- a/lib/x509/crq.c +++ b/lib/x509/crq.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/dn.c b/lib/x509/dn.c index 755f72ec55..ae3af42c0e 100644 --- a/lib/x509/dn.c +++ b/lib/x509/dn.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/dsa.c b/lib/x509/dsa.c index 174c0b31b2..6d2f25b72f 100644 --- a/lib/x509/dsa.c +++ b/lib/x509/dsa.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/extensions.c b/lib/x509/extensions.c index c4dbfe4a6d..921ea125b5 100644 --- a/lib/x509/extensions.c +++ b/lib/x509/extensions.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c index 007e728336..53d4e5e2f9 100644 --- a/lib/x509/mpi.c +++ b/lib/x509/mpi.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c index 9f61e21d0d..db8245af90 100644 --- a/lib/x509/pkcs12.c +++ b/lib/x509/pkcs12.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/pkcs12_bag.c b/lib/x509/pkcs12_bag.c index 6b9ab32ba1..466f4e7970 100644 --- a/lib/x509/pkcs12_bag.c +++ b/lib/x509/pkcs12_bag.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c index c1501e62db..921bff9b86 100644 --- a/lib/x509/pkcs12_encr.c +++ b/lib/x509/pkcs12_encr.c @@ -1,7 +1,4 @@ -/* This is based on minip12. - */ - -/* minip12.c - A minilam pkcs-12 implementation. +/* minip12.c - A mini pkcs-12 implementation (modified for gnutls) * Copyright (C) 2002 Free Software Foundation, Inc. * * This file some day was part of GnuPG. diff --git a/lib/x509/pkcs5.c b/lib/x509/pkcs5.c index 15ce59c05c..c1c745b71e 100644 --- a/lib/x509/pkcs5.c +++ b/lib/x509/pkcs5.c @@ -1,5 +1,6 @@ /* pkcs5.c Implementation of Password-Based Cryptography as per PKCS#5 * Copyright (C) 2002,2003 Simon Josefsson + * Copyright (C) 2004 Free Software Foundation * * This file is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public diff --git a/lib/x509/pkcs7.c b/lib/x509/pkcs7.c index eb12fc1212..4eac6054d6 100644 --- a/lib/x509/pkcs7.c +++ b/lib/x509/pkcs7.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/privkey.c b/lib/x509/privkey.c index 930640d6e1..4798e221dd 100644 --- a/lib/x509/privkey.c +++ b/lib/x509/privkey.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index 433436fa3b..412b855e01 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/rc2.c b/lib/x509/rc2.c index b993d44793..982d556f25 100644 --- a/lib/x509/rc2.c +++ b/lib/x509/rc2.c @@ -1,5 +1,6 @@ /* rc2.c - The RC2 stream cipher * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c index 249ec82622..bd3d7c5713 100644 --- a/lib/x509/rfc2818_hostname.c +++ b/lib/x509/rfc2818_hostname.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2002 Andrew McDonald * Portions Copyright 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/sign.c b/lib/x509/sign.c index b32c21569b..73d9d56a9d 100644 --- a/lib/x509/sign.c +++ b/lib/x509/sign.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos <nmav@hellug.gr> + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 7055debb2e..9b3f658b00 100644 --- a/lib/x509/verify.c +++ b/lib/x509/verify.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos <nmav@hellug.gr> + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/x509.c b/lib/x509/x509.c index c7f546a7b1..88051c0cc2 100644 --- a/lib/x509/x509.c +++ b/lib/x509/x509.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c index 8de1ff010c..b4c155b7bb 100644 --- a/lib/x509/x509_write.c +++ b/lib/x509/x509_write.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509/xml.c b/lib/x509/xml.c index 5c3ec65f94..24df070219 100644 --- a/lib/x509/xml.c +++ b/lib/x509/xml.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/lib/x509_b64.c b/lib/x509_b64.c index 7156bd2fb9..9b233af614 100644 --- a/lib/x509_b64.c +++ b/lib/x509_b64.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2003 Nikos Mavroyanopoulos <nmav@hellug.gr> + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/Makefile.am b/libextra/Makefile.am index 0db520f996..844b9f2c34 100644 --- a/libextra/Makefile.am +++ b/libextra/Makefile.am @@ -12,7 +12,7 @@ else endif EXTRA_DIST = ext_srp.h gnutls_srp.h libgnutls-extra.vers \ - auth_srp.h auth_srp_passwd.h \ + auth_srp.h auth_srp_passwd.h openssl_compat.h \ gnutls-extra-api.tex gnutls_extra.h libgnutls-extra-config.in \ libgnutls-extra.m4 lzoconf.h minilzo.h @@ -22,7 +22,7 @@ lib_LTLIBRARIES = libgnutls-extra.la libgnutls-openssl.la libgnutls_openssl_la_LDFLAGS = -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) -libgnutls_openssl_la_SOURCES = gnutls_openssl.c +libgnutls_openssl_la_SOURCES = gnutls_openssl.c openssl_compat.c libgnutls_openssl_la_LIBADD = \ ../lib/libgnutls.la diff --git a/libextra/auth_srp.c b/libextra/auth_srp.c index 169949b270..17fe1d28b2 100644 --- a/libextra/auth_srp.c +++ b/libextra/auth_srp.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/auth_srp_passwd.c b/libextra/auth_srp_passwd.c index 67cdaf1732..580cc7f438 100644 --- a/libextra/auth_srp_passwd.c +++ b/libextra/auth_srp_passwd.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/auth_srp_rsa.c b/libextra/auth_srp_rsa.c index bd5a26df86..561465d71f 100644 --- a/libextra/auth_srp_rsa.c +++ b/libextra/auth_srp_rsa.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/auth_srp_sb64.c b/libextra/auth_srp_sb64.c index 9011ec1843..db8edb65b7 100644 --- a/libextra/auth_srp_sb64.c +++ b/libextra/auth_srp_sb64.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002 Nikos Mavroyanopoulos <nmav@hellug.gr> + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/ext_srp.c b/libextra/ext_srp.c index a9460a1e7d..2624b965b1 100644 --- a/libextra/ext_srp.c +++ b/libextra/ext_srp.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/gnutls_extra.c b/libextra/gnutls_extra.c index b4a8c78576..00c99b2c7e 100644 --- a/libextra/gnutls_extra.c +++ b/libextra/gnutls_extra.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/gnutls_openpgp.c b/libextra/gnutls_openpgp.c index 86c2daffe3..4ba3061bcb 100644 --- a/libextra/gnutls_openpgp.c +++ b/libextra/gnutls_openpgp.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2002,2003 Timo Schulz <twoaday@freakmail.de> + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/gnutls_openssl.c b/libextra/gnutls_openssl.c index b7ecaebb9e..31155e18eb 100644 --- a/libextra/gnutls_openssl.c +++ b/libextra/gnutls_openssl.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2002 Andrew McDonald <andrew@mcdonald.org.uk> + * Copyright (C) 2004 Free Software Foundation * * GNUTLS-EXTRA is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the Free @@ -19,7 +20,7 @@ #include <config.h> #include <gnutls/gnutls.h> -#include <gnutls/compat8.h> +#include <openssl_compat.h> #include <gcrypt.h> #include <stdio.h> #include <stdlib.h> diff --git a/libextra/gnutls_srp.c b/libextra/gnutls_srp.c index e80602b118..2befd82c12 100644 --- a/libextra/gnutls_srp.c +++ b/libextra/gnutls_srp.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/openpgp/compat.c b/libextra/openpgp/compat.c index 4faef21985..963efad620 100644 --- a/libextra/openpgp/compat.c +++ b/libextra/openpgp/compat.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2002 Timo Schulz * Portions Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright 2004 Free Software Foundation * * This file is part of GNUTLS-EXTRA. * diff --git a/libextra/openpgp/extras.c b/libextra/openpgp/extras.c index 48a36ccb7f..1de1b2eb8b 100644 --- a/libextra/openpgp/extras.c +++ b/libextra/openpgp/extras.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright 2004 Free Software Foundation * * This file is part of GNUTLS-EXTRA. * diff --git a/libextra/openpgp/openpgp.c b/libextra/openpgp/openpgp.c index 22a28a9461..5ebdab7625 100644 --- a/libextra/openpgp/openpgp.c +++ b/libextra/openpgp/openpgp.c @@ -1,6 +1,7 @@ /* - * Copyright (C) 2002 Timo Schulz - * Portions Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2002 Timo Schulz + * Portions Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/openpgp/privkey.c b/libextra/openpgp/privkey.c index 51a315fa82..0331ad1bf5 100644 --- a/libextra/openpgp/privkey.c +++ b/libextra/openpgp/privkey.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/openpgp/verify.c b/libextra/openpgp/verify.c index 481c558222..7472b4e353 100644 --- a/libextra/openpgp/verify.c +++ b/libextra/openpgp/verify.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2002 Timo Schulz * Portions Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright 2004 Free Software Foundation * * This file is part of GNUTLS-EXTRA. * diff --git a/libextra/openpgp/xml.c b/libextra/openpgp/xml.c index aacad0830d..d95e10e85a 100644 --- a/libextra/openpgp/xml.c +++ b/libextra/openpgp/xml.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2002 Timo Schulz <twoaday@freakmail.de> * Portions Copyright 2003 Nikos Mavroyanopoulos <nmav@gnutls.org> + * Copyright 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/libextra/openssl_compat.c b/libextra/openssl_compat.c new file mode 100644 index 0000000000..247cad1bdf --- /dev/null +++ b/libextra/openssl_compat.c @@ -0,0 +1,796 @@ +/* + * Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation + * + * This file is part of GNUTLS. + * + * The GNUTLS library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + */ + +/* This file includes all functions that were in the 0.5.x and 0.8.x + * gnutls API. They are now implemented over the new certificate parsing + * API. + */ + +#include <gnutls_global.h> +#include <gnutls_errors.h> +#include <string.h> /* memset */ +#include <x509/dn.h> +#include <libtasn1.h> +#include <gnutls/x509.h> +#include <openssl_compat.h> + +/** + * gnutls_x509_extract_dn - This function parses an RDN sequence + * @idn: should contain a DER encoded RDN sequence + * @rdn: a pointer to a structure to hold the name + * + * This function will return the name of the given RDN sequence. + * The name will be returned as a gnutls_x509_dn structure. + * Returns a negative error code in case of an error. + * + **/ +int gnutls_x509_extract_dn(const gnutls_datum * idn, gnutls_x509_dn * rdn) +{ + ASN1_TYPE dn = ASN1_TYPE_EMPTY; + int result; + size_t len; + + if ((result = + asn1_create_element(_gnutls_get_pkix(), + "PKIX1.Name", &dn + )) != ASN1_SUCCESS) { + return _gnutls_asn2err(result); + } + + result = asn1_der_decoding(&dn, idn->data, idn->size, NULL); + if (result != ASN1_SUCCESS) { + /* couldn't decode DER */ + asn1_delete_structure(&dn); + return _gnutls_asn2err(result); + } + + memset( rdn, 0, sizeof(gnutls_x509_dn)); + + len = sizeof(rdn->country); + _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, rdn->country, &len); + + len = sizeof(rdn->organization); + _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, rdn->organization, &len); + + len = sizeof(rdn->organizational_unit_name); + _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, rdn->organizational_unit_name, &len); + + len = sizeof(rdn->common_name); + _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_COMMON_NAME, 0, 0, rdn->common_name, &len); + + len = sizeof(rdn->locality_name); + _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, rdn->locality_name, &len); + + len = sizeof(rdn->state_or_province_name); + _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, rdn->state_or_province_name, &len); + + len = sizeof(rdn->email); + _gnutls_x509_parse_dn_oid( dn, "", GNUTLS_OID_PKCS9_EMAIL, 0, 0, rdn->email, &len); + + asn1_delete_structure(&dn); + + return 0; +} + +/** + * gnutls_x509_extract_certificate_dn - This function returns the certificate's distinguished name + * @cert: should contain an X.509 DER encoded certificate + * @ret: a pointer to a structure to hold the peer's name + * + * This function will return the name of the certificate holder. The name is gnutls_x509_dn structure and + * is a obtained by the peer's certificate. If the certificate send by the + * peer is invalid, or in any other failure this function returns error. + * Returns a negative error code in case of an error. + * + **/ +int gnutls_x509_extract_certificate_dn(const gnutls_datum * cert, + gnutls_x509_dn * ret) +{ + gnutls_x509_crt xcert; + int result; + size_t len; + + result = gnutls_x509_crt_init( &xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit( xcert); + return result; + } + + len = sizeof( ret->country); + gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, + ret->country, &len); + + len = sizeof( ret->organization); + gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, + ret->organization, &len); + + len = sizeof( ret->organizational_unit_name); + gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, + ret->organizational_unit_name, &len); + + len = sizeof( ret->common_name); + gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, + ret->common_name, &len); + + len = sizeof( ret->locality_name); + gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, + ret->locality_name, &len); + + len = sizeof( ret->state_or_province_name); + gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, + ret->state_or_province_name, &len); + + len = sizeof( ret->email); + gnutls_x509_crt_get_dn_by_oid( xcert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, + ret->email, &len); + + gnutls_x509_crt_deinit( xcert); + + return 0; +} + +/** + * gnutls_x509_extract_certificate_issuer_dn - This function returns the certificate's issuer distinguished name + * @cert: should contain an X.509 DER encoded certificate + * @ret: a pointer to a structure to hold the issuer's name + * + * This function will return the name of the issuer stated in the certificate. The name is a gnutls_x509_dn structure and + * is a obtained by the peer's certificate. If the certificate send by the + * peer is invalid, or in any other failure this function returns error. + * Returns a negative error code in case of an error. + * + **/ +int gnutls_x509_extract_certificate_issuer_dn(const gnutls_datum * cert, + gnutls_x509_dn * ret) +{ + gnutls_x509_crt xcert; + int result; + size_t len; + + result = gnutls_x509_crt_init( &xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit( xcert); + return result; + } + + len = sizeof( ret->country); + gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_COUNTRY_NAME, 0, 0, + ret->country, &len); + + len = sizeof( ret->organization); + gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATION_NAME, 0, 0, + ret->organization, &len); + + len = sizeof( ret->organizational_unit_name); + gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_ORGANIZATIONAL_UNIT_NAME, 0, 0, + ret->organizational_unit_name, &len); + + len = sizeof( ret->common_name); + gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, + ret->common_name, &len); + + len = sizeof( ret->locality_name); + gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_LOCALITY_NAME, 0, 0, + ret->locality_name, &len); + + len = sizeof( ret->state_or_province_name); + gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_X520_STATE_OR_PROVINCE_NAME, 0, 0, + ret->state_or_province_name, &len); + + len = sizeof( ret->email); + gnutls_x509_crt_get_issuer_dn_by_oid( xcert, GNUTLS_OID_PKCS9_EMAIL, 0, 0, + ret->email, &len); + + gnutls_x509_crt_deinit( xcert); + + return 0; +} + + +/** + * gnutls_x509_extract_certificate_subject_alt_name - This function returns the certificate's alternative name, if any + * @cert: should contain an X.509 DER encoded certificate + * @seq: specifies the sequence number of the alt name (0 for the first one, 1 for the second etc.) + * @ret: is the place where the alternative name will be copied to + * @ret_size: holds the size of ret. + * + * This function will return the alternative names, contained in the + * given certificate. + * + * This is specified in X509v3 Certificate Extensions. + * GNUTLS will return the Alternative name, or a negative + * error code. + * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if ret_size is not enough to hold the alternative + * name, or the type of alternative name if everything was ok. The type is + * one of the enumerated GNUTLS_X509_SUBJECT_ALT_NAME. + * + * If the certificate does not have an Alternative name with the specified + * sequence number then returns GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; + * + **/ +int gnutls_x509_extract_certificate_subject_alt_name(const gnutls_datum * cert, int seq, char *ret, int *ret_size) +{ + gnutls_x509_crt xcert; + int result; + size_t size = *ret_size; + + result = gnutls_x509_crt_init( &xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit( xcert); + return result; + } + + result = gnutls_x509_crt_get_subject_alt_name( xcert, seq, ret, &size, NULL); + *ret_size = size; + + gnutls_x509_crt_deinit( xcert); + + return result; +} + +/** + * gnutls_x509_extract_certificate_ca_status - This function returns the certificate CA status + * @cert: should contain an X.509 DER encoded certificate + * + * This function will return certificates CA status, by reading the + * basicConstraints X.509 extension. If the certificate is a CA a positive + * value will be returned, or zero if the certificate does not have + * CA flag set. + * + * A negative value may be returned in case of parsing error. + * If the certificate does not contain the basicConstraints extension + * GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE will be returned. + * + **/ +int gnutls_x509_extract_certificate_ca_status(const gnutls_datum * cert) +{ + gnutls_x509_crt xcert; + int result; + + result = gnutls_x509_crt_init( &xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit( xcert); + return result; + } + + result = gnutls_x509_crt_get_ca_status( xcert, NULL); + + gnutls_x509_crt_deinit( xcert); + + return result; +} + +/** + * gnutls_x509_extract_certificate_activation_time - This function returns the peer's certificate activation time + * @cert: should contain an X.509 DER encoded certificate + * + * This function will return the certificate's activation time in UNIX time + * (ie seconds since 00:00:00 UTC January 1, 1970). + * Returns a (time_t) -1 in case of an error. + * + **/ +time_t gnutls_x509_extract_certificate_activation_time(const + gnutls_datum * + cert) +{ + gnutls_x509_crt xcert; + time_t result; + + result = gnutls_x509_crt_init( &xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit( xcert); + return result; + } + + result = gnutls_x509_crt_get_activation_time( xcert); + + gnutls_x509_crt_deinit( xcert); + + return result; +} + +/** + * gnutls_x509_extract_certificate_expiration_time - This function returns the certificate's expiration time + * @cert: should contain an X.509 DER encoded certificate + * + * This function will return the certificate's expiration time in UNIX time + * (ie seconds since 00:00:00 UTC January 1, 1970). + * Returns a (time_t) -1 in case of an error. + * + **/ +time_t gnutls_x509_extract_certificate_expiration_time(const + gnutls_datum * + cert) +{ + gnutls_x509_crt xcert; + time_t result; + + result = gnutls_x509_crt_init( &xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit( xcert); + return result; + } + + result = gnutls_x509_crt_get_expiration_time( xcert); + + gnutls_x509_crt_deinit( xcert); + + return result; +} + +/** + * gnutls_x509_extract_certificate_version - This function returns the certificate's version + * @cert: is an X.509 DER encoded certificate + * + * This function will return the X.509 certificate's version (1, 2, 3). This is obtained by the X509 Certificate + * Version field. Returns a negative value in case of an error. + * + **/ +int gnutls_x509_extract_certificate_version(const gnutls_datum * cert) +{ + gnutls_x509_crt xcert; + int result; + + result = gnutls_x509_crt_init( &xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit( xcert); + return result; + } + + result = gnutls_x509_crt_get_version( xcert); + + gnutls_x509_crt_deinit( xcert); + + return result; + +} + +/** + * gnutls_x509_extract_certificate_serial - This function returns the certificate's serial number + * @cert: is an X.509 DER encoded certificate + * @result: The place where the serial number will be copied + * @result_size: Holds the size of the result field. + * + * This function will return the X.509 certificate's serial number. + * This is obtained by the X509 Certificate serialNumber + * field. Serial is not always a 32 or 64bit number. Some CAs use + * large serial numbers, thus it may be wise to handle it as something + * opaque. + * Returns a negative value in case of an error. + * + **/ +int gnutls_x509_extract_certificate_serial(const gnutls_datum * cert, char* result, int* result_size) +{ + gnutls_x509_crt xcert; + size_t size = *result_size; + int ret; + + ret = gnutls_x509_crt_init( &xcert); + if (ret < 0) return ret; + + ret = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_x509_crt_deinit( xcert); + return ret; + } + + ret = gnutls_x509_crt_get_serial( xcert, result, &size); + *result_size = size; + + gnutls_x509_crt_deinit( xcert); + + return ret; +} + + +/** + * gnutls_x509_extract_certificate_pk_algorithm - This function returns the certificate's PublicKey algorithm + * @cert: is a DER encoded X.509 certificate + * @bits: if bits is non null it will hold the size of the parameters' in bits + * + * This function will return the public key algorithm of an X.509 + * certificate. + * + * If bits is non null, it should have enough size to hold the parameters + * size in bits. For RSA the bits returned is the modulus. + * For DSA the bits returned are of the public + * exponent. + * + * Returns a member of the gnutls_pk_algorithm enumeration on success, + * or a negative value on error. + * + **/ +int gnutls_x509_extract_certificate_pk_algorithm( const gnutls_datum * cert, int* bits) +{ + gnutls_x509_crt xcert; + int result; + + result = gnutls_x509_crt_init( &xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit( xcert); + return result; + } + + result = gnutls_x509_crt_get_pk_algorithm( xcert, bits); + + gnutls_x509_crt_deinit( xcert); + + return result; +} + + +/** + * gnutls_x509_extract_certificate_dn_string - This function returns the certificate's distinguished name + * @cert: should contain an X.509 DER encoded certificate + * @buf: a pointer to a structure to hold the peer's name + * @sizeof_buf: holds the size of 'buf' + * @issuer: if non zero, then extract the name of the issuer, instead of the holder + * + * This function will copy the name of the certificate holder in the provided buffer. The name + * will be in the form "C=xxxx,O=yyyy,CN=zzzz" as described in RFC2253. + * + * Returns GNUTLS_E_SHORT_MEMORY_BUFFER if the provided buffer is not long enough, + * and 0 on success. + * + **/ +int gnutls_x509_extract_certificate_dn_string(char *buf, unsigned int sizeof_buf, + const gnutls_datum * cert, int issuer) +{ + gnutls_x509_crt xcert; + int result; + + result = gnutls_x509_crt_init( &xcert); + if (result < 0) return result; + + result = gnutls_x509_crt_import( xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit( xcert); + return result; + } + + if (!issuer) + result = gnutls_x509_crt_get_dn( xcert, buf, &sizeof_buf); + else + result = gnutls_x509_crt_get_issuer_dn( xcert, buf, &sizeof_buf); + + gnutls_x509_crt_deinit( xcert); + + return result; +} + +/** + * gnutls_x509_verify_certificate - This function verifies given certificate list + * @cert_list: is the certificate list to be verified + * @cert_list_length: holds the number of certificate in cert_list + * @CA_list: is the CA list which will be used in verification + * @CA_list_length: holds the number of CA certificate in CA_list + * @CRL_list: not used + * @CRL_list_length: not used + * + * This function will try to verify the given certificate list and return its status (TRUSTED, EXPIRED etc.). + * The return value (status) should be one or more of the gnutls_certificate_status + * enumerated elements bitwise or'd. Note that expiration and activation dates are not checked + * by this function, you should check them using the appropriate functions. + * + * This function understands the basicConstraints (2.5.29.19) PKIX extension. + * This means that only a certificate authority can sign a certificate. + * + * However you must also check the peer's name in order to check if the verified certificate belongs to the + * actual peer. + * + * The return value (status) should be one or more of the gnutls_certificate_status + * enumerated elements bitwise or'd. + * + * GNUTLS_CERT_INVALID\: the peer's certificate is not valid. + * + * GNUTLS_CERT_REVOKED\: the certificate has been revoked. + * + * A negative error code is returned in case of an error. + * GNUTLS_E_NO_CERTIFICATE_FOUND is returned to indicate that + * no certificate was sent by the peer. + * + * + **/ +int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, + const gnutls_datum * CA_list, int CA_list_length, + const gnutls_datum* CRL_list, int CRL_list_length) +{ + unsigned int verify; + gnutls_x509_crt *peer_certificate_list = NULL; + gnutls_x509_crt *ca_certificate_list = NULL; + gnutls_x509_crl *crl_list = NULL; + int peer_certificate_list_size=0, i, x, ret; + int ca_certificate_list_size=0, crl_list_size=0; + + if (cert_list == NULL || cert_list_length == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; + + /* generate a list of gnutls_certs based on the auth info + * raw certs. + */ + peer_certificate_list_size = cert_list_length; + peer_certificate_list = + gnutls_calloc(1, + peer_certificate_list_size * + sizeof(gnutls_x509_crt)); + if (peer_certificate_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + ca_certificate_list_size = CA_list_length; + ca_certificate_list = + gnutls_calloc(1, + ca_certificate_list_size * + sizeof(gnutls_x509_crt)); + if (ca_certificate_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + /* allocate memory for CRL + */ + crl_list_size = CRL_list_length; + crl_list = + gnutls_calloc(1, + crl_list_size * + sizeof(gnutls_x509_crl)); + if (crl_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + /* convert certA_list to gnutls_cert* list + */ + for (i = 0; i < peer_certificate_list_size; i++) { + ret = gnutls_x509_crt_init( &peer_certificate_list[i]); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + gnutls_x509_crt_import(peer_certificate_list[i], + &cert_list[i], GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } + + /* convert CA_list to gnutls_x509_cert* list + */ + for (i = 0; i < ca_certificate_list_size; i++) { + ret = gnutls_x509_crt_init(&ca_certificate_list[i]); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + gnutls_x509_crt_import(ca_certificate_list[i], + &CA_list[i], GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } + +#ifdef ENABLE_PKI + /* convert CRL_list to gnutls_x509_crl* list + */ + for (i = 0; i < crl_list_size; i++) { + ret = gnutls_x509_crl_init( &crl_list[i]); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = + gnutls_x509_crl_import(crl_list[i], + &CRL_list[i], GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + } +#endif + + /* Verify certificate + */ + ret = + gnutls_x509_crt_list_verify(peer_certificate_list, + peer_certificate_list_size, + ca_certificate_list, ca_certificate_list_size, + crl_list, crl_list_size, 0, &verify); + + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + ret = verify; + + cleanup: + + if (peer_certificate_list != NULL) + for(x=0;x<peer_certificate_list_size;x++) { + if (peer_certificate_list[x] != NULL) + gnutls_x509_crt_deinit(peer_certificate_list[x]); + } + + if (ca_certificate_list != NULL) + for(x=0;x<ca_certificate_list_size;x++) { + if (ca_certificate_list[x] != NULL) + gnutls_x509_crt_deinit(ca_certificate_list[x]); + } + +#ifdef ENABLE_PKI + if (crl_list != NULL) + for(x=0;x<crl_list_size;x++) { + if (crl_list[x] != NULL) + gnutls_x509_crl_deinit(crl_list[x]); + } + + gnutls_free( crl_list); +#endif + + gnutls_free( ca_certificate_list); + gnutls_free( peer_certificate_list); + + return ret; +} + +/** + * gnutls_x509_extract_key_pk_algorithm - This function returns the keys's PublicKey algorithm + * @cert: is a DER encoded private key + * + * This function will return the public key algorithm of a DER encoded private + * key. + * + * Returns a member of the gnutls_pk_algorithm enumeration on success, + * or GNUTLS_E_UNKNOWN_PK_ALGORITHM on error. + * + **/ +int gnutls_x509_extract_key_pk_algorithm( const gnutls_datum * key) +{ + gnutls_x509_privkey pkey; + int ret, pk; + + ret = gnutls_x509_privkey_init( &pkey); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + ret = gnutls_x509_privkey_import( pkey, key, GNUTLS_X509_FMT_DER); + if (ret < 0) { + gnutls_assert(); + return ret; + } + + pk = gnutls_x509_privkey_get_pk_algorithm( pkey); + + gnutls_x509_privkey_deinit( pkey); + return pk; +} + +#ifdef ENABLE_PKI + +/** + * gnutls_x509_pkcs7_extract_certificate - This function returns a certificate in a PKCS7 certificate set + * @pkcs7_struct: should contain a PKCS7 DER formatted structure + * @indx: contains the index of the certificate to extract + * @certificate: the contents of the certificate will be copied there + * @certificate_size: should hold the size of the certificate + * + * This function will return a certificate of the PKCS7 or RFC2630 certificate set. + * Returns 0 on success. If the provided buffer is not long enough, + * then GNUTLS_E_SHORT_MEMORY_BUFFER is returned. + * + * After the last certificate has been read GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE + * will be returned. + * + **/ +int gnutls_x509_pkcs7_extract_certificate(const gnutls_datum * pkcs7_struct, int indx, char* certificate, int* certificate_size) +{ + gnutls_pkcs7 pkcs7; + int result; + size_t size = *certificate_size; + + result = gnutls_pkcs7_init( &pkcs7); + if (result < 0) return result; + + result = gnutls_pkcs7_import( pkcs7, pkcs7_struct, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_pkcs7_deinit( pkcs7); + return result; + } + + result = gnutls_pkcs7_get_crt_raw( pkcs7, indx, certificate, &size); + *certificate_size = size; + + gnutls_pkcs7_deinit( pkcs7); + + return result; +} + + +/** + * gnutls_x509_pkcs7_extract_certificate_count - This function returns the number of certificates in a PKCS7 certificate set + * @pkcs7_struct: should contain a PKCS7 DER formatted structure + * + * This function will return the number of certifcates in the PKCS7 or + * RFC2630 certificate set. + * + * Returns a negative value on failure. + * + **/ +int gnutls_x509_pkcs7_extract_certificate_count(const gnutls_datum * pkcs7_struct) +{ + gnutls_pkcs7 pkcs7; + int result; + + result = gnutls_pkcs7_init( &pkcs7); + if (result < 0) return result; + + result = gnutls_pkcs7_import( pkcs7, pkcs7_struct, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_pkcs7_deinit( pkcs7); + return result; + } + + result = gnutls_pkcs7_get_crt_count( pkcs7); + + gnutls_pkcs7_deinit( pkcs7); + + return result; +} + +#endif diff --git a/includes/gnutls/compat8.h b/libextra/openssl_compat.h index 23e2b37b30..aa9f931c54 100644 --- a/includes/gnutls/compat8.h +++ b/libextra/openssl_compat.h @@ -2,71 +2,31 @@ # define GNUTLS_COMPAT8_H /* Extra definitions */ +#include <gnutls/openssl.h> -#define GNUTLS_X509_CN_SIZE 256 -#define GNUTLS_X509_C_SIZE 3 -#define GNUTLS_X509_O_SIZE 256 -#define GNUTLS_X509_OU_SIZE 256 -#define GNUTLS_X509_L_SIZE 256 -#define GNUTLS_X509_S_SIZE 256 -#define GNUTLS_X509_EMAIL_SIZE 256 - -#ifdef __GNUC__ - -#define _GT_GCC_VERSION (__GNUC__ * 10000 \ - + __GNUC_MINOR__ * 100 \ - + __GNUC_PATCHLEVEL__) - -#if _GT_GCC_VERSION >= 30100 -# ifndef DEPRECATED -# define DEPRECATED __attribute__ ((__deprecated__)) -# endif -#endif - -#endif - -#ifndef DEPRECATED -# define DEPRECATED -#endif - -typedef struct { - char common_name[GNUTLS_X509_CN_SIZE]; - char country[GNUTLS_X509_C_SIZE]; - char organization[GNUTLS_X509_O_SIZE]; - char organizational_unit_name[GNUTLS_X509_OU_SIZE]; - char locality_name[GNUTLS_X509_L_SIZE]; - char state_or_province_name[GNUTLS_X509_S_SIZE]; - char email[GNUTLS_X509_EMAIL_SIZE]; -} gnutls_x509_dn; - -typedef struct { - char name[GNUTLS_X509_CN_SIZE]; - char email[GNUTLS_X509_CN_SIZE]; -} gnutls_openpgp_name; - -int gnutls_x509_extract_dn( const gnutls_datum*, gnutls_x509_dn*) DEPRECATED; +int gnutls_x509_extract_dn( const gnutls_datum*, gnutls_x509_dn*); int gnutls_x509_extract_dn_string(const gnutls_datum * idn, - char *buf, unsigned int sizeof_buf) DEPRECATED; -int gnutls_x509_extract_certificate_dn( const gnutls_datum*, gnutls_x509_dn*) DEPRECATED; + char *buf, unsigned int sizeof_buf); +int gnutls_x509_extract_certificate_dn( const gnutls_datum*, gnutls_x509_dn*); int gnutls_x509_extract_certificate_dn_string(char *buf, unsigned int sizeof_buf, - const gnutls_datum * cert, int issuer) DEPRECATED; -int gnutls_x509_extract_certificate_issuer_dn( const gnutls_datum*, gnutls_x509_dn *) DEPRECATED; -int gnutls_x509_extract_certificate_version( const gnutls_datum*) DEPRECATED; -int gnutls_x509_extract_certificate_serial(const gnutls_datum * cert, char* result, int* result_size) DEPRECATED; + const gnutls_datum * cert, int issuer); +int gnutls_x509_extract_certificate_issuer_dn( const gnutls_datum*, gnutls_x509_dn *); +int gnutls_x509_extract_certificate_version( const gnutls_datum*); +int gnutls_x509_extract_certificate_serial(const gnutls_datum * cert, char* result, int* result_size); time_t gnutls_x509_extract_certificate_activation_time( const gnutls_datum*); time_t gnutls_x509_extract_certificate_expiration_time( const gnutls_datum*); -int gnutls_x509_extract_certificate_subject_alt_name( const gnutls_datum*, int seq, char*, int*) DEPRECATED; -int gnutls_x509_pkcs7_extract_certificate(const gnutls_datum * pkcs7_struct, int indx, char* certificate, int* certificate_size) DEPRECATED; -int gnutls_x509_extract_certificate_pk_algorithm( const gnutls_datum * cert, int* bits) DEPRECATED; -int gnutls_x509_extract_certificate_ca_status(const gnutls_datum * cert) DEPRECATED; -int gnutls_x509_extract_key_pk_algorithm( const gnutls_datum * key) DEPRECATED; +int gnutls_x509_extract_certificate_subject_alt_name( const gnutls_datum*, int seq, char*, int*); +int gnutls_x509_pkcs7_extract_certificate(const gnutls_datum * pkcs7_struct, int indx, char* certificate, int* certificate_size); +int gnutls_x509_extract_certificate_pk_algorithm( const gnutls_datum * cert, int* bits); +int gnutls_x509_extract_certificate_ca_status(const gnutls_datum * cert); +int gnutls_x509_extract_key_pk_algorithm( const gnutls_datum * key); -int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, const gnutls_datum * CA_list, int CA_list_length, const gnutls_datum* CRL_list, int CRL_list_length) DEPRECATED; +int gnutls_x509_verify_certificate( const gnutls_datum* cert_list, int cert_list_length, const gnutls_datum * CA_list, int CA_list_length, const gnutls_datum* CRL_list, int CRL_list_length); #define gnutls_x509_fingerprint gnutls_fingerprint #define gnutls_x509_certificate_format gnutls_x509_crt_fmt -int gnutls_x509_extract_key_pk_algorithm( const gnutls_datum * key) DEPRECATED; +int gnutls_x509_extract_key_pk_algorithm( const gnutls_datum * key); #define gnutls_certificate_set_rsa_params gnutls_certificate_set_rsa_export_params diff --git a/src/certtool-gaa.c b/src/certtool-gaa.c index 7ec736b7b0..ff62cddee2 100644 --- a/src/certtool-gaa.c +++ b/src/certtool-gaa.c @@ -137,6 +137,7 @@ void gaa_help(void) __gaa_helpsingle('p', "generate-privkey", "", "Generate a private key."); __gaa_helpsingle('q', "generate-request", "", "Generate a PKCS #10 certificate request."); __gaa_helpsingle('e', "verify-chain", "", "Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one."); + __gaa_helpsingle(0, "verify-crl", "", "Verify a CRL."); __gaa_helpsingle(0, "generate-dh-params", "", "Generate PKCS #3 encoded Diffie Hellman parameters."); __gaa_helpsingle(0, "load-privkey", "FILE ", "Private key file to use."); __gaa_helpsingle(0, "load-request", "FILE ", "Certificate request file to use."); @@ -176,35 +177,35 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 88 "certtool.gaa" +#line 90 "certtool.gaa" int debug; -#line 85 "certtool.gaa" +#line 87 "certtool.gaa" char *infile; -#line 82 "certtool.gaa" +#line 84 "certtool.gaa" char *outfile; -#line 79 "certtool.gaa" +#line 81 "certtool.gaa" int bits; -#line 76 "certtool.gaa" +#line 78 "certtool.gaa" int outcert_format; -#line 73 "certtool.gaa" +#line 75 "certtool.gaa" int incert_format; -#line 70 "certtool.gaa" +#line 72 "certtool.gaa" int export; -#line 67 "certtool.gaa" +#line 69 "certtool.gaa" int dsa; -#line 64 "certtool.gaa" +#line 66 "certtool.gaa" int pkcs8; -#line 49 "certtool.gaa" +#line 51 "certtool.gaa" char *pass; -#line 46 "certtool.gaa" +#line 48 "certtool.gaa" char *ca; -#line 43 "certtool.gaa" +#line 45 "certtool.gaa" char *ca_privkey; -#line 40 "certtool.gaa" +#line 42 "certtool.gaa" char *cert; -#line 37 "certtool.gaa" +#line 39 "certtool.gaa" char *request; -#line 34 "certtool.gaa" +#line 36 "certtool.gaa" char *privkey; #line 17 "certtool.gaa" int action; @@ -262,7 +263,7 @@ int gaa_error = 0; #define GAA_MULTIPLE_OPTION 3 #define GAA_REST 0 -#define GAA_NB_OPTION 32 +#define GAA_NB_OPTION 33 #define GAAOPTID_copyright 1 #define GAAOPTID_version 2 #define GAAOPTID_help 3 @@ -288,13 +289,14 @@ int gaa_error = 0; #define GAAOPTID_load_request 23 #define GAAOPTID_load_privkey 24 #define GAAOPTID_generate_dh_params 25 -#define GAAOPTID_verify_chain 26 -#define GAAOPTID_generate_request 27 -#define GAAOPTID_generate_privkey 28 -#define GAAOPTID_update_certificate 29 -#define GAAOPTID_generate_crl 30 -#define GAAOPTID_generate_certificate 31 -#define GAAOPTID_generate_self_signed 32 +#define GAAOPTID_verify_crl 26 +#define GAAOPTID_verify_chain 27 +#define GAAOPTID_generate_request 28 +#define GAAOPTID_generate_privkey 29 +#define GAAOPTID_update_certificate 30 +#define GAAOPTID_generate_crl 31 +#define GAAOPTID_generate_certificate 32 +#define GAAOPTID_generate_self_signed 33 #line 168 "gaa.skel" @@ -597,6 +599,7 @@ int gaa_get_option_num(char *str, int status) GAA_CHECK1STR("l", GAAOPTID_crl_info); GAA_CHECK1STR("i", GAAOPTID_certificate_info); GAA_CHECK1STR("", GAAOPTID_generate_dh_params); + GAA_CHECK1STR("", GAAOPTID_verify_crl); GAA_CHECK1STR("e", GAAOPTID_verify_chain); GAA_CHECK1STR("q", GAAOPTID_generate_request); GAA_CHECK1STR("p", GAAOPTID_generate_privkey); @@ -633,6 +636,7 @@ int gaa_get_option_num(char *str, int status) GAA_CHECKSTR("load-request", GAAOPTID_load_request); GAA_CHECKSTR("load-privkey", GAAOPTID_load_privkey); GAA_CHECKSTR("generate-dh-params", GAAOPTID_generate_dh_params); + GAA_CHECKSTR("verify-crl", GAAOPTID_verify_crl); GAA_CHECKSTR("verify-chain", GAAOPTID_verify_chain); GAA_CHECKSTR("generate-request", GAAOPTID_generate_request); GAA_CHECKSTR("generate-privkey", GAAOPTID_generate_privkey); @@ -684,21 +688,21 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) { case GAAOPTID_copyright: OK = 0; -#line 94 "certtool.gaa" +#line 96 "certtool.gaa" { print_license(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_version: OK = 0; -#line 93 "certtool.gaa" +#line 95 "certtool.gaa" { certtool_version(); exit(0); ;}; return GAA_OK; break; case GAAOPTID_help: OK = 0; -#line 91 "certtool.gaa" +#line 93 "certtool.gaa" { gaa_help(); exit(0); ;}; return GAA_OK; @@ -708,7 +712,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_debug.arg1, gaa_getint, GAATMP_debug.size1); gaa_index++; -#line 89 "certtool.gaa" +#line 91 "certtool.gaa" { gaaval->debug = GAATMP_debug.arg1 ;}; return GAA_OK; @@ -718,7 +722,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_infile.arg1, gaa_getstr, GAATMP_infile.size1); gaa_index++; -#line 86 "certtool.gaa" +#line 88 "certtool.gaa" { gaaval->infile = GAATMP_infile.arg1 ;}; return GAA_OK; @@ -728,7 +732,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_outfile.arg1, gaa_getstr, GAATMP_outfile.size1); gaa_index++; -#line 83 "certtool.gaa" +#line 85 "certtool.gaa" { gaaval->outfile = GAATMP_outfile.arg1 ;}; return GAA_OK; @@ -738,84 +742,84 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_bits.arg1, gaa_getint, GAATMP_bits.size1); gaa_index++; -#line 80 "certtool.gaa" +#line 82 "certtool.gaa" { gaaval->bits = GAATMP_bits.arg1 ;}; return GAA_OK; break; case GAAOPTID_outder: OK = 0; -#line 77 "certtool.gaa" +#line 79 "certtool.gaa" { gaaval->outcert_format=1 ;}; return GAA_OK; break; case GAAOPTID_inder: OK = 0; -#line 74 "certtool.gaa" +#line 76 "certtool.gaa" { gaaval->incert_format=1 ;}; return GAA_OK; break; case GAAOPTID_export_ciphers: OK = 0; -#line 71 "certtool.gaa" +#line 73 "certtool.gaa" { gaaval->export=1 ;}; return GAA_OK; break; case GAAOPTID_dsa: OK = 0; -#line 68 "certtool.gaa" +#line 70 "certtool.gaa" { gaaval->dsa=1 ;}; return GAA_OK; break; case GAAOPTID_pkcs8: OK = 0; -#line 65 "certtool.gaa" +#line 67 "certtool.gaa" { gaaval->pkcs8=1 ;}; return GAA_OK; break; case GAAOPTID_to_p12: OK = 0; -#line 62 "certtool.gaa" +#line 64 "certtool.gaa" { gaaval->action = 8; ;}; return GAA_OK; break; case GAAOPTID_key_info: OK = 0; -#line 60 "certtool.gaa" +#line 62 "certtool.gaa" { gaaval->action = 6; ;}; return GAA_OK; break; case GAAOPTID_p7_info: OK = 0; -#line 58 "certtool.gaa" +#line 60 "certtool.gaa" { gaaval->action = 12; ;}; return GAA_OK; break; case GAAOPTID_p12_info: OK = 0; -#line 56 "certtool.gaa" +#line 58 "certtool.gaa" { gaaval->action = 9; ;}; return GAA_OK; break; case GAAOPTID_crl_info: OK = 0; -#line 54 "certtool.gaa" +#line 56 "certtool.gaa" { gaaval->action = 11; ;}; return GAA_OK; break; case GAAOPTID_certificate_info: OK = 0; -#line 52 "certtool.gaa" +#line 54 "certtool.gaa" { gaaval->action = 2; ;}; return GAA_OK; @@ -825,7 +829,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_password.arg1, gaa_getstr, GAATMP_password.size1); gaa_index++; -#line 50 "certtool.gaa" +#line 52 "certtool.gaa" { gaaval->pass = GAATMP_password.arg1 ;}; return GAA_OK; @@ -835,7 +839,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_ca_certificate.arg1, gaa_getstr, GAATMP_load_ca_certificate.size1); gaa_index++; -#line 47 "certtool.gaa" +#line 49 "certtool.gaa" { gaaval->ca = GAATMP_load_ca_certificate.arg1 ;}; return GAA_OK; @@ -845,7 +849,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_ca_privkey.arg1, gaa_getstr, GAATMP_load_ca_privkey.size1); gaa_index++; -#line 44 "certtool.gaa" +#line 46 "certtool.gaa" { gaaval->ca_privkey = GAATMP_load_ca_privkey.arg1 ;}; return GAA_OK; @@ -855,7 +859,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_certificate.arg1, gaa_getstr, GAATMP_load_certificate.size1); gaa_index++; -#line 41 "certtool.gaa" +#line 43 "certtool.gaa" { gaaval->cert = GAATMP_load_certificate.arg1 ;}; return GAA_OK; @@ -865,7 +869,7 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_request.arg1, gaa_getstr, GAATMP_load_request.size1); gaa_index++; -#line 38 "certtool.gaa" +#line 40 "certtool.gaa" { gaaval->request = GAATMP_load_request.arg1 ;}; return GAA_OK; @@ -875,18 +879,25 @@ int gaa_try(int gaa_num, int gaa_index, gaainfo *gaaval, char *opt_list) GAA_TESTMOREARGS; GAA_FILL(GAATMP_load_privkey.arg1, gaa_getstr, GAATMP_load_privkey.size1); gaa_index++; -#line 35 "certtool.gaa" +#line 37 "certtool.gaa" { gaaval->privkey = GAATMP_load_privkey.arg1 ;}; return GAA_OK; break; case GAAOPTID_generate_dh_params: OK = 0; -#line 32 "certtool.gaa" +#line 34 "certtool.gaa" { gaaval->action=10; ;}; return GAA_OK; break; + case GAAOPTID_verify_crl: + OK = 0; +#line 32 "certtool.gaa" +{ gaaval->action=14; ;}; + + return GAA_OK; + break; case GAAOPTID_verify_chain: OK = 0; #line 30 "certtool.gaa" @@ -960,7 +971,7 @@ int gaa(int argc, char **argv, gaainfo *gaaval) if(inited == 0) { -#line 96 "certtool.gaa" +#line 98 "certtool.gaa" { gaaval->bits = 1024; gaaval->pkcs8 = 0; gaaval->privkey = NULL; gaaval->ca=NULL; gaaval->ca_privkey = NULL; gaaval->debug=1; gaaval->request = NULL; gaaval->infile = NULL; gaaval->outfile = NULL; gaaval->cert = NULL; gaaval->incert_format = 0; gaaval->outcert_format = 0; gaaval->action=-1; gaaval->pass = NULL; diff --git a/src/certtool-gaa.h b/src/certtool-gaa.h index 18cca0ca96..2bef4af05b 100644 --- a/src/certtool-gaa.h +++ b/src/certtool-gaa.h @@ -8,35 +8,35 @@ typedef struct _gaainfo gaainfo; struct _gaainfo { -#line 88 "certtool.gaa" +#line 90 "certtool.gaa" int debug; -#line 85 "certtool.gaa" +#line 87 "certtool.gaa" char *infile; -#line 82 "certtool.gaa" +#line 84 "certtool.gaa" char *outfile; -#line 79 "certtool.gaa" +#line 81 "certtool.gaa" int bits; -#line 76 "certtool.gaa" +#line 78 "certtool.gaa" int outcert_format; -#line 73 "certtool.gaa" +#line 75 "certtool.gaa" int incert_format; -#line 70 "certtool.gaa" +#line 72 "certtool.gaa" int export; -#line 67 "certtool.gaa" +#line 69 "certtool.gaa" int dsa; -#line 64 "certtool.gaa" +#line 66 "certtool.gaa" int pkcs8; -#line 49 "certtool.gaa" +#line 51 "certtool.gaa" char *pass; -#line 46 "certtool.gaa" +#line 48 "certtool.gaa" char *ca; -#line 43 "certtool.gaa" +#line 45 "certtool.gaa" char *ca_privkey; -#line 40 "certtool.gaa" +#line 42 "certtool.gaa" char *cert; -#line 37 "certtool.gaa" +#line 39 "certtool.gaa" char *request; -#line 34 "certtool.gaa" +#line 36 "certtool.gaa" char *privkey; #line 17 "certtool.gaa" int action; diff --git a/src/certtool.c b/src/certtool.c index 0d62ed2f12..d587806454 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * @@ -38,6 +39,7 @@ void pkcs7_info( void); void pkcs12_info( void); void generate_pkcs12( void); void verify_chain(void); +void verify_crl(void); gnutls_x509_privkey load_private_key(int mand); gnutls_x509_crq load_request(void); gnutls_x509_privkey load_ca_private_key(void); @@ -772,6 +774,9 @@ int ret; case 13: generate_signed_crl(); break; + case 14: + verify_crl(); + break; default: fprintf(stderr, "GnuTLS' certtool utility.\n"); fprintf(stderr, "Please use the --help to get help on this program.\n"); @@ -1114,6 +1119,7 @@ static void print_crl_info( gnutls_x509_crl crl, FILE* out, int all) char *print, dn[256]; const char* cprint; + fprintf(out, "CRL information:\n"); fprintf(out, "Version: %d\n", gnutls_x509_crl_get_version(crl)); /* Issuer @@ -1475,7 +1481,8 @@ static gnutls_x509_crt crt[MAX_CERTS]; char* ptr; int ret, i; gnutls_datum dat; -size_t size, ptr_size; +size_t size; +int ptr_size; *crt_size = 0; fprintf(stderr, "Loading certificate list...\n"); @@ -1522,7 +1529,9 @@ size_t size, ptr_size; ptr++; ptr_size = size; - ptr_size -= ((void*)ptr - (void*)buffer); + ptr_size -= (unsigned int)((unsigned char*)ptr - (unsigned char*)buffer); + + if (ptr_size < 0) break; (*crt_size)++; } @@ -1872,8 +1881,6 @@ time_t now = time(0); comma = 1; fprintf(outfile, "Revoked"); } - - } void verify_chain( void) @@ -1881,11 +1888,89 @@ void verify_chain( void) size_t size; size = fread( buffer, 1, sizeof(buffer)-1, infile); + buffer[size] = 0; _verify_x509_mem( buffer, size); } +void verify_crl( void) +{ +size_t size, dn_size; +char dn[128]; +unsigned int output; +int comma=0; +int ret; +gnutls_datum pem; +gnutls_x509_crl crl; +time_t now = time(0); +gnutls_x509_crt issuer; + + issuer = load_ca_cert(); + + fprintf(outfile, "\nCA certificate:\n"); + dn_size = sizeof(dn); + ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size); + if (ret >= 0) + fprintf(outfile, "\tSubject: %s\n\n", dn); + + size = fread( buffer, 1, sizeof(buffer)-1, infile); + buffer[size] = 0; + + pem.data = buffer; + pem.size = size; + + gnutls_x509_crl_init( &crl); + + ret = gnutls_x509_crl_import(crl, &pem, in_cert_format); + if (ret < 0) { + fprintf(stderr, "CRL decoding error: %s\n", gnutls_strerror(ret)); + exit(1); + } + + print_crl_info( crl, outfile, 1); + + + fprintf(outfile, "Verification output: "); + ret = gnutls_x509_crl_verify( crl, &issuer, 1, 0, &output); + if (ret < 0) { + fprintf(stderr, "Error in verification: %s\n", gnutls_strerror(ret)); + exit(1); + } + + if (output&GNUTLS_CERT_NOT_TRUSTED) { + fprintf(outfile, "Not verified"); + comma = 1; + } else { + fprintf(outfile, "Verified"); + comma = 1; + } + + if (output&GNUTLS_CERT_SIGNER_NOT_CA) { + if (comma) fprintf(outfile, ", "); + fprintf(outfile, "Issuer is not a CA"); + comma = 1; + } + + /* Check expiration dates. + */ + + if (gnutls_x509_crl_get_this_update(crl) > now) { + if (comma) fprintf(outfile, ", "); + comma = 1; + fprintf(outfile, "Issued in the future!"); + } + + if (gnutls_x509_crl_get_next_update(crl) < now) { + if (comma) fprintf(outfile, ", "); + comma = 1; + fprintf(outfile, "CRL is not up to date"); + } + + fprintf(outfile, "\n"); + +} + #include <gnutls/pkcs12.h> #include <unistd.h> diff --git a/src/certtool.gaa b/src/certtool.gaa index 5418c66f8c..9fb257e93f 100644 --- a/src/certtool.gaa +++ b/src/certtool.gaa @@ -29,6 +29,8 @@ option (q, generate-request) { $action=3; } "Generate a PKCS #10 certificate req option (e, verify-chain) { $action=5; } "Verify a PEM encoded certificate chain. The last certificate in the chain must be a self signed one." +option (verify-crl) { $action=14; } "Verify a CRL." + option (generate-dh-params) { $action=10; } "Generate PKCS #3 encoded Diffie Hellman parameters." #char *privkey; @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/src/crypt.c b/src/crypt.c index 893804f338..9fefb5d643 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/src/prime.c b/src/prime.c index 72edcdf85c..afa4581109 100644 --- a/src/prime.c +++ b/src/prime.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/src/serv.c b/src/serv.c index bd43904a74..561e47664b 100644 --- a/src/serv.c +++ b/src/serv.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2001,2002 Paul Sheer * Portions Copyright (C) 2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/src/tests.c b/src/tests.c index eba1297aab..74060bc69b 100644 --- a/src/tests.c +++ b/src/tests.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * diff --git a/src/tls_test.c b/src/tls_test.c index 83cf5eefad..bf7691b618 100644 --- a/src/tls_test.c +++ b/src/tls_test.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2000,2001,2002,2003 Nikos Mavroyanopoulos + * Copyright (C) 2004 Free Software Foundation * * This file is part of GNUTLS. * |