diff options
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | NEWS | 10 | ||||
-rw-r--r-- | lib/gnutls_cert.c | 21 | ||||
-rw-r--r-- | lib/includes/gnutls/gnutls.h.in | 36 | ||||
-rw-r--r-- | lib/includes/gnutls/x509.h | 3 | ||||
-rw-r--r-- | lib/libgnutls.map | 2 | ||||
-rw-r--r-- | lib/x509/verify-high.c | 44 | ||||
-rw-r--r-- | tests/Makefile.am | 3 | ||||
-rw-r--r-- | tests/x509cert.c | 187 |
9 files changed, 291 insertions, 16 deletions
diff --git a/.gitignore b/.gitignore index be6c73bae2..d0fc83e5b8 100644 --- a/.gitignore +++ b/.gitignore @@ -452,3 +452,4 @@ lib/ext/libgnutls_ext.la lib/auth/libgnutls_auth.la tests/cipher-test tests/suite/x509paths/X509tests +tests/x509cert @@ -3,6 +3,16 @@ Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software Foundation, Inc. See the end for copying conditions. +* Version 2.99.2 (unreleased) + +** libgnutls: Added gnutls_certificate_get_issuer() and +gnutls_x509_trust_list_get_issuer() to compensate for the +missing gnutls_certificate_get_x509_cas(). + +** API and ABI modifications: +gnutls_certificate_get_issuer: ADDED +gnutls_x509_trust_list_get_issuer: ADDED + * Version 2.99.1 (released 2011-04-23) ** libgnutls: LZO support was removed. diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 91ad7caccf..2b8101c24b 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, - * 2010 Free Software Foundation, Inc. + * 2010,2011 Free Software Foundation, Inc. * * Author: Nikos Mavrogiannopoulos * @@ -102,6 +102,25 @@ gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc) } /** + * gnutls_certificate_get_issuer: + * @sc: is a #gnutls_certificate_credentials_t structure. + * @cert: is the certificate to find issuer for + * @issuer: Will hold the issuer if any. Should be treated as constant. + * @flags: Use zero. + * + * This function will return the issuer of a given certificate. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ +int +gnutls_certificate_get_issuer (gnutls_certificate_credentials_t sc, + gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags) +{ + return gnutls_trust_list_get_issuer(sc->tlist, cert, issuer, flags); +} + +/** * gnutls_certificate_free_ca_names: * @sc: is a #gnutls_certificate_credentials_t structure. * diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in index 0cdbffd27a..46ea4a86f0 100644 --- a/lib/includes/gnutls/gnutls.h.in +++ b/lib/includes/gnutls/gnutls.h.in @@ -944,6 +944,24 @@ extern "C" gnutls_credentials_type_t type, void *cred); #define gnutls_cred_set gnutls_credentials_set +/* x.509 types */ + + struct gnutls_x509_privkey_int; + typedef struct gnutls_x509_privkey_int *gnutls_x509_privkey_t; + + struct gnutls_x509_crl_int; + typedef struct gnutls_x509_crl_int *gnutls_x509_crl_t; + + struct gnutls_x509_crt_int; + typedef struct gnutls_x509_crt_int *gnutls_x509_crt_t; + + struct gnutls_x509_crq_int; + typedef struct gnutls_x509_crq_int *gnutls_x509_crq_t; + + struct gnutls_openpgp_keyring_int; + typedef struct gnutls_openpgp_keyring_int *gnutls_openpgp_keyring_t; + + /* Credential structures - used in gnutls_credentials_set(); */ struct gnutls_certificate_credentials_st; @@ -988,6 +1006,10 @@ extern "C" gnutls_certificate_allocate_credentials (gnutls_certificate_credentials_t * res); + int + gnutls_certificate_get_issuer (gnutls_certificate_credentials_t sc, + gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags); + void gnutls_certificate_free_keys (gnutls_certificate_credentials_t sc); void gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc); void gnutls_certificate_free_ca_names (gnutls_certificate_credentials_t sc); @@ -1043,20 +1065,6 @@ extern "C" /* New functions to allow setting already parsed X.509 stuff. */ - struct gnutls_x509_privkey_int; - typedef struct gnutls_x509_privkey_int *gnutls_x509_privkey_t; - - struct gnutls_x509_crl_int; - typedef struct gnutls_x509_crl_int *gnutls_x509_crl_t; - - struct gnutls_x509_crt_int; - typedef struct gnutls_x509_crt_int *gnutls_x509_crt_t; - - struct gnutls_x509_crq_int; - typedef struct gnutls_x509_crq_int *gnutls_x509_crq_t; - - struct gnutls_openpgp_keyring_int; - typedef struct gnutls_openpgp_keyring_int *gnutls_openpgp_keyring_t; int gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res, gnutls_x509_crt_t * cert_list, diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index a3afeeb372..f220844d77 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -836,6 +836,9 @@ extern "C" void gnutls_x509_trust_list_deinit (gnutls_x509_trust_list_t list, unsigned int all); + int gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags); + int gnutls_x509_trust_list_add_cas (gnutls_x509_trust_list_t list, const gnutls_x509_crt_t * clist, int clist_size, unsigned int flags); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index 87d70cc37b..229792e955 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -709,6 +709,8 @@ GNUTLS_3_0_0 { gnutls_pcert_import_openpgp_raw; gnutls_pubkey_get_openpgp_key_id; gnutls_certificate_set_retrieve_function2; + gnutls_x509_trust_list_get_issuer; + gnutls_certificate_get_issuer; } GNUTLS_2_12; GNUTLS_PRIVATE { diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index 8452009a27..f91122988e 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -314,6 +314,50 @@ gnutls_datum_t dn; return clist_size; } +/** + * gnutls_x509_trust_list_get_issuer: + * @list: The structure of the list + * @cert: is the certificate to find issuer for + * @issuer: Will hold the issuer if any. Should be treated as constant. + * @flags: Use zero. + * + * This function will attempt to find the issuer of the + * given certificate. + * + * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a + * negative error value. + **/ +int gnutls_trust_list_get_issuer(gnutls_x509_trust_list_t list, + gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags) +{ +gnutls_datum_t dn; +int ret, i; +uint32_t hash; + + ret = gnutls_x509_crt_get_raw_issuer_dn(cert, &dn); + if (ret < 0) + { + gnutls_assert(); + return ret; + } + + hash = _gnutls_bhash(dn.data, dn.size, INIT_HASH); + hash %= list->size; + + _gnutls_free_datum(&dn); + + for (i=0;i<list->node[hash].trusted_crt_size;i++) + { + ret = gnutls_x509_crt_check_issuer (cert, list->node[hash].trusted_crts[i]); + if (ret == 1) + { + *issuer = list->node[hash].trusted_crts[i]; + return 0; + } + } + + return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; +} /** * gnutls_x509_trust_list_verify_crt: diff --git a/tests/Makefile.am b/tests/Makefile.am index 3c58d68f75..48b1e41398 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -64,7 +64,8 @@ ctests = simple gc set_pkcs12_cred certder certuniqueid mpi \ crq_key_id x509sign-verify cve-2009-1415 cve-2009-1416 \ crq_apis init_roundtrip pkcs12_s2k_pem dn2 mini-eagain \ nul-in-x509-names x509_altname pkcs12_encode mini-x509 \ - mini-x509-rehandshake rng-fork mini-eagain-dtls cipher-test #gendh + mini-x509-rehandshake rng-fork mini-eagain-dtls cipher-test \ + x509cert #gendh if ENABLE_OPENSSL ctests += openssl diff --git a/tests/x509cert.c b/tests/x509cert.c new file mode 100644 index 0000000000..ddc08d63b3 --- /dev/null +++ b/tests/x509cert.c @@ -0,0 +1,187 @@ +/* + * Copyright (C) 2011 Free Software Foundation, Inc. + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GnuTLS. + * + * GnuTLS is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuTLS is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GnuTLS; if not, write to the Free Software Foundation, + * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* Parts copied from GnuTLS example programs. */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/types.h> +#if !defined(_WIN32) +#include <netinet/in.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <arpa/inet.h> +#endif +#include <unistd.h> +#include <gnutls/gnutls.h> +#include <gnutls/x509.h> + +#include "utils.h" + +/* Test for gnutls_certificate_get_issuer() and implicitly for + * gnutls_trust_list_get_issuer(). + */ + +static void +tls_log_func (int level, const char *str) +{ + fprintf (stderr, "<%d>| %s", level, str); +} + +static unsigned char ca_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIB5zCCAVKgAwIBAgIERiYdJzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTExWhcNMDgwNDE3MTMyOTExWjAZMRcw\n" + "FQYDVQQDEw5HbnVUTFMgdGVzdCBDQTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA\n" + "vuyYeh1vfmslnuggeEKgZAVmQ5ltSdUY7H25WGSygKMUYZ0KT74v8C780qtcNt9T\n" + "7EPH/N6RvB4BprdssgcQLsthR3XKA84jbjjxNCcaGs33lvOz8A1nf8p3hD+cKfRi\n" + "kfYSW2JazLrtCC4yRCas/SPOUxu78of+3HiTfFm/oXUCAwEAAaNDMEEwDwYDVR0T\n" + "AQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBTpPBz7rZJu5gak\n" + "Viyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAiaIRqGfp1jPpNeVhABK60SU0KIAy\n" + "njuu7kHq5peUgYn8Jd9zNzExBOEp1VOipGsf6G66oQAhDFp2o8zkz7ZH71zR4HEW\n" + "KoX6n5Emn6DvcEH/9pAhnGxNHJAoS7czTKv/JDZJhkqHxyrE1fuLsg5Qv25DTw7+\n" + "PfqUpIhz5Bbm7J4=\n" "-----END CERTIFICATE-----\n"; +const gnutls_datum_t ca = { ca_pem, sizeof (ca_pem) }; + +static unsigned char cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICHjCCAYmgAwIBAgIERiYdNzALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTI3WhcNMDgwNDE3MTMyOTI3WjAdMRsw\n" + "GQYDVQQDExJHbnVUTFMgdGVzdCBjbGllbnQwgZwwCwYJKoZIhvcNAQEBA4GMADCB\n" + "iAKBgLtmQ/Xyxde2jMzF3/WIO7HJS2oOoa0gUEAIgKFPXKPQ+GzP5jz37AR2ExeL\n" + "ZIkiW8DdU3w77XwEu4C5KL6Om8aOoKUSy/VXHqLnu7czSZ/ju0quak1o/8kR4jKN\n" + "zj2AC41179gAgY8oBAOgIo1hBAf6tjd9IQdJ0glhaZiQo1ipAgMBAAGjdjB0MAwG\n" + "A1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAweg\n" + "ADAdBgNVHQ4EFgQUTLkKm/odNON+3svSBxX+odrLaJEwHwYDVR0jBBgwFoAU6Twc\n" + "+62SbuYGpFYsouHAUyfI8pUwCwYJKoZIhvcNAQEFA4GBALujmBJVZnvaTXr9cFRJ\n" + "jpfc/3X7sLUsMvumcDE01ls/cG5mIatmiyEU9qI3jbgUf82z23ON/acwJf875D3/\n" + "U7jyOsBJ44SEQITbin2yUeJMIm1tievvdNXBDfW95AM507ShzP12sfiJkJfjjdhy\n" + "dc8Siq5JojruiMizAf0pA7in\n" "-----END CERTIFICATE-----\n"; +const gnutls_datum_t cert = { cert_pem, sizeof (cert_pem) }; + +static unsigned char key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQC7ZkP18sXXtozMxd/1iDuxyUtqDqGtIFBACIChT1yj0Phsz+Y8\n" + "9+wEdhMXi2SJIlvA3VN8O+18BLuAuSi+jpvGjqClEsv1Vx6i57u3M0mf47tKrmpN\n" + "aP/JEeIyjc49gAuNde/YAIGPKAQDoCKNYQQH+rY3fSEHSdIJYWmYkKNYqQIDAQAB\n" + "AoGADpmARG5CQxS+AesNkGmpauepiCz1JBF/JwnyiX6vEzUh0Ypd39SZztwrDxvF\n" + "PJjQaKVljml1zkJpIDVsqvHdyVdse8M+Qn6hw4x2p5rogdvhhIL1mdWo7jWeVJTF\n" + "RKB7zLdMPs3ySdtcIQaF9nUAQ2KJEvldkO3m/bRJFEp54k0CQQDYy+RlTmwRD6hy\n" + "7UtMjR0H3CSZJeQ8svMCxHLmOluG9H1UKk55ZBYfRTsXniqUkJBZ5wuV1L+pR9EK\n" + "ca89a+1VAkEA3UmBelwEv2u9cAU1QjKjmwju1JgXbrjEohK+3B5y0ESEXPAwNQT9\n" + "TrDM1m9AyxYTWLxX93dI5QwNFJtmbtjeBQJARSCWXhsoaDRG8QZrCSjBxfzTCqZD\n" + "ZXtl807ymCipgJm60LiAt0JLr4LiucAsMZz6+j+quQbSakbFCACB8SLV1QJBAKZQ\n" + "YKf+EPNtnmta/rRKKvySsi3GQZZN+Dt3q0r094XgeTsAqrqujVNfPhTMeP4qEVBX\n" + "/iVX2cmMTSh3w3z8MaECQEp0XJWDVKOwcTW6Ajp9SowtmiZ3YDYo1LF9igb4iaLv\n" + "sWZGfbnU3ryjvkb6YuFjgtzbZDZHWQCo8/cOtOBmPdk=\n" + "-----END RSA PRIVATE KEY-----\n"; +const gnutls_datum_t key = { key_pem, sizeof (key_pem) }; + +static unsigned char server_cert_pem[] = + "-----BEGIN CERTIFICATE-----\n" + "MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251\n" + "VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw\n" + "GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz\n" + "Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B\n" + "dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2\n" + "DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1\n" + "tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT\n" + "MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B\n" + "Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME\n" + "GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7\n" + "bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1\n" + "AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg\n" + "rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=\n" "-----END CERTIFICATE-----\n"; + +const gnutls_datum_t server_cert = { server_cert_pem, + sizeof (server_cert_pem) +}; + +static unsigned char server_key_pem[] = + "-----BEGIN RSA PRIVATE KEY-----\n" + "MIICXAIBAAKBgQDXulyvowzwLqknVqpTjqjrf4F1TGuYvkrqtx74S8NqxNoNALjq\n" + "TBMfNhaT3nLvxqResm62ygqIVXWQlu2mV7wMO3YNlx696ex/06ns+4VkoGugSM53\n" + "fnOcMRP/PciupWBu2baMWppvtr6far2n8KAzJ/W3HZLllpxzUtaf1siOsQIDAQAB\n" + "AoGAYAFyKkAYC/PYF8e7+X+tsVCHXppp8AoP8TEZuUqOZz/AArVlle/ROrypg5kl\n" + "8YunrvUdzH9R/KZ7saNZlAPLjZyFG9beL/am6Ai7q7Ma5HMqjGU8kTEGwD7K+lbG\n" + "iomokKMOl+kkbY/2sI5Czmbm+/PqLXOjtVc5RAsdbgvtmvkCQQDdV5QuU8jap8Hs\n" + "Eodv/tLJ2z4+SKCV2k/7FXSKWe0vlrq0cl2qZfoTUYRnKRBcWxc9o92DxK44wgPi\n" + "oMQS+O7fAkEA+YG+K9e60sj1K4NYbMPAbYILbZxORDecvP8lcphvwkOVUqbmxOGh\n" + "XRmTZUuhBrJhJKKf6u7gf3KWlPl6ShKEbwJASC118cF6nurTjuLf7YKARDjNTEws\n" + "qZEeQbdWYINAmCMj0RH2P0mvybrsXSOD5UoDAyO7aWuqkHGcCLv6FGG+qwJAOVqq\n" + "tXdUucl6GjOKKw5geIvRRrQMhb/m5scb+5iw8A4LEEHPgGiBaF5NtJZLALgWfo5n\n" + "hmC8+G8F0F78znQtPwJBANexu+Tg5KfOnzSILJMo3oXiXhf5PqXIDmbN0BKyCKAQ\n" + "LfkcEcUbVfmDaHpvzwY9VEaoMOKVLitETXdNSxVpvWM=\n" + "-----END RSA PRIVATE KEY-----\n"; + +const gnutls_datum_t server_key = { server_key_pem, + sizeof (server_key_pem) +}; + + +void +doit (void) +{ + gnutls_certificate_credentials_t x509_cred; + int ret; + gnutls_x509_crt_t crt, issuer; + char dn[128]; + size_t dn_size; + + /* this must be called once in the program + */ + gnutls_global_init (); + + gnutls_global_set_log_function (tls_log_func); + if (debug) + gnutls_global_set_log_level (6); + + gnutls_certificate_allocate_credentials (&x509_cred); + gnutls_certificate_set_x509_trust_mem (x509_cred, &ca, GNUTLS_X509_FMT_PEM); + + gnutls_certificate_set_x509_key_mem (x509_cred, &server_cert, &server_key, + GNUTLS_X509_FMT_PEM); + + /* test for gnutls_certificate_get_issuer() */ + gnutls_x509_crt_init(&crt); + ret = gnutls_x509_crt_import(crt, &cert, GNUTLS_X509_FMT_PEM); + if (ret < 0) + fail("gnutls_x509_crt_import"); + + ret = gnutls_certificate_get_issuer(x509_cred, crt, &issuer, 0); + if (ret < 0) + fail("gnutls_certificate_get_isser"); + + dn_size = sizeof(dn); + ret = gnutls_x509_crt_get_dn(issuer, dn, &dn_size); + if (ret < 0) + fail("gnutls_certificate_get_isser"); + + fprintf(stderr, "Issuer's DN: %s\n", dn); + + success("success"); +} |