diff options
Diffstat (limited to 'lib/cert-cred-x509.c')
| -rw-r--r-- | lib/cert-cred-x509.c | 181 |
1 files changed, 90 insertions, 91 deletions
diff --git a/lib/cert-cred-x509.c b/lib/cert-cred-x509.c index bbe27509c5..3799bc1029 100644 --- a/lib/cert-cred-x509.c +++ b/lib/cert-cred-x509.c @@ -48,7 +48,7 @@ #include "urls.h" #include "cert-cred.h" #ifdef _WIN32 -#include <wincrypt.h> +# include <wincrypt.h> #endif /* @@ -56,7 +56,6 @@ * related objects in a certificate credentials structure. */ - /* Returns the name of the certificate of a null name */ int _gnutls_get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t * names) @@ -77,7 +76,7 @@ int _gnutls_get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t * names) ret2 = _gnutls_str_array_append_idna(names, name, - max_size); + max_size); if (ret2 < 0) { _gnutls_str_array_clear(names); return gnutls_assert_val(ret2); @@ -88,10 +87,12 @@ int _gnutls_get_x509_name(gnutls_x509_crt_t crt, gnutls_str_array_t * names) if (have_dns_name == 0) { max_size = sizeof(name); ret = - gnutls_x509_crt_get_dn_by_oid(crt, OID_X520_COMMON_NAME, 0, 0, - name, &max_size); + gnutls_x509_crt_get_dn_by_oid(crt, OID_X520_COMMON_NAME, 0, + 0, name, &max_size); if (ret >= 0) { - ret = _gnutls_str_array_append_idna(names, name, max_size); + ret = + _gnutls_str_array_append_idna(names, name, + max_size); if (ret < 0) { _gnutls_str_array_clear(names); return gnutls_assert_val(ret); @@ -155,7 +156,9 @@ parse_der_cert_mem(gnutls_certificate_credentials_t res, goto cleanup; } - ret = _gnutls_certificate_credential_append_keypair(res, key, names, ccert, 1); + ret = + _gnutls_certificate_credential_append_keypair(res, key, names, + ccert, 1); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -163,7 +166,7 @@ parse_der_cert_mem(gnutls_certificate_credentials_t res, return ret; - cleanup: + cleanup: _gnutls_str_array_clear(&names); gnutls_free(ccert); return ret; @@ -205,7 +208,7 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res, count = 0; do { - tmp.data = (void *) ptr; + tmp.data = (void *)ptr; tmp.size = size; ret = gnutls_x509_crt_init(&unsorted[count]); @@ -214,7 +217,9 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res, goto cleanup; } - ret = gnutls_x509_crt_import(unsorted[count], &tmp, GNUTLS_X509_FMT_PEM); + ret = + gnutls_x509_crt_import(unsorted[count], &tmp, + GNUTLS_X509_FMT_PEM); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -247,8 +252,7 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res, } while (ptr != NULL && count < DEFAULT_MAX_VERIFY_DEPTH); - ret = - _gnutls_get_x509_name(unsorted[0], &names); + ret = _gnutls_get_x509_name(unsorted[0], &names); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -262,7 +266,8 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res, ncerts = count; ret = - gnutls_pcert_import_x509_list(pcerts, unsorted, &ncerts, GNUTLS_X509_CRT_LIST_SORT); + gnutls_pcert_import_x509_list(pcerts, unsorted, &ncerts, + GNUTLS_X509_CRT_LIST_SORT); if (ret < 0) { gnutls_free(pcerts); gnutls_assert(); @@ -270,7 +275,8 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res, } ret = - _gnutls_certificate_credential_append_keypair(res, key, names, pcerts, ncerts); + _gnutls_certificate_credential_append_keypair(res, key, names, + pcerts, ncerts); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -281,7 +287,7 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res, return ncerts; - cleanup: + cleanup: _gnutls_str_array_clear(&names); for (i = 0; i < count; i++) gnutls_x509_crt_deinit(unsorted[i]); @@ -293,15 +299,12 @@ parse_pem_cert_mem(gnutls_certificate_credentials_t res, return ret; } - - /* Reads a DER or PEM certificate from memory */ static int read_cert_mem(gnutls_certificate_credentials_t res, gnutls_privkey_t key, - const void *cert, - int cert_size, gnutls_x509_crt_fmt_t type) + const void *cert, int cert_size, gnutls_x509_crt_fmt_t type) { int ret; @@ -339,9 +342,9 @@ static int tmp_pin_cb(void *userdata, int attempt, const char *token_url, */ int _gnutls_read_key_mem(gnutls_certificate_credentials_t res, - const void *key, int key_size, gnutls_x509_crt_fmt_t type, - const char *pass, unsigned int flags, - gnutls_privkey_t *rkey) + const void *key, int key_size, gnutls_x509_crt_fmt_t type, + const char *pass, unsigned int flags, + gnutls_privkey_t * rkey) { int ret; gnutls_datum_t tmp; @@ -387,11 +390,11 @@ _gnutls_read_key_mem(gnutls_certificate_credentials_t res, return 0; } - /* Reads a private key from a token. */ static int -read_key_url(gnutls_certificate_credentials_t res, const char *url, gnutls_privkey_t *rkey) +read_key_url(gnutls_certificate_credentials_t res, const char *url, + gnutls_privkey_t * rkey) { int ret; gnutls_privkey_t pkey = NULL; @@ -418,25 +421,25 @@ read_key_url(gnutls_certificate_credentials_t res, const char *url, gnutls_privk return 0; - cleanup: + cleanup: if (pkey) gnutls_privkey_deinit(pkey); return ret; } - #define MAX_PKCS11_CERT_CHAIN 8 /* Reads a certificate key from a token. */ static int -read_cert_url(gnutls_certificate_credentials_t res, gnutls_privkey_t key, const char *url) +read_cert_url(gnutls_certificate_credentials_t res, gnutls_privkey_t key, + const char *url) { int ret; gnutls_x509_crt_t crt = NULL; gnutls_pcert_st *ccert = NULL; gnutls_str_array_t names; - gnutls_datum_t t = {NULL, 0}; + gnutls_datum_t t = { NULL, 0 }; unsigned i, count = 0; _gnutls_str_array_init(&names); @@ -476,7 +479,7 @@ read_cert_url(gnutls_certificate_credentials_t res, gnutls_privkey_t key, const } /* Try to load the whole certificate chain from the PKCS #11 token */ - for (i=0;i<MAX_PKCS11_CERT_CHAIN;i++) { + for (i = 0; i < MAX_PKCS11_CERT_CHAIN; i++) { ret = gnutls_x509_crt_check_issuer(crt, crt); if (i > 0 && ret != 0) { /* self signed */ @@ -510,7 +513,9 @@ read_cert_url(gnutls_certificate_credentials_t res, gnutls_privkey_t key, const gnutls_free(t.data); } - ret = _gnutls_certificate_credential_append_keypair(res, key, names, ccert, count); + ret = + _gnutls_certificate_credential_append_keypair(res, key, names, + ccert, count); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -520,7 +525,7 @@ read_cert_url(gnutls_certificate_credentials_t res, gnutls_privkey_t key, const gnutls_x509_crt_deinit(crt); return 0; -cleanup: + cleanup: if (crt != NULL) gnutls_x509_crt_deinit(crt); gnutls_free(t.data); @@ -558,16 +563,14 @@ read_cert_file(gnutls_certificate_credentials_t res, } - - /* Reads PKCS-1 RSA private key file or a DSA file (in the format openssl * stores it). */ int _gnutls_read_key_file(gnutls_certificate_credentials_t res, - const char *keyfile, gnutls_x509_crt_fmt_t type, - const char *pass, unsigned int flags, - gnutls_privkey_t *rkey) + const char *keyfile, gnutls_x509_crt_fmt_t type, + const char *pass, unsigned int flags, + gnutls_privkey_t * rkey) { int ret; size_t size; @@ -578,15 +581,17 @@ _gnutls_read_key_file(gnutls_certificate_credentials_t res, /* if no PIN function is specified, and we have a PIN, * specify one */ if (pass != NULL && res->pin.cb == NULL) { - snprintf(res->pin_tmp, sizeof(res->pin_tmp), "%s", pass); - gnutls_certificate_set_pin_function(res, tmp_pin_cb, res->pin_tmp); + snprintf(res->pin_tmp, sizeof(res->pin_tmp), + "%s", pass); + gnutls_certificate_set_pin_function(res, + tmp_pin_cb, + res->pin_tmp); } return read_key_url(res, keyfile, rkey); } else return - gnutls_assert_val - (GNUTLS_E_UNIMPLEMENTED_FEATURE); + gnutls_assert_val(GNUTLS_E_UNIMPLEMENTED_FEATURE); } data = read_file(keyfile, RF_BINARY | RF_SENSITIVE, &size); @@ -685,8 +690,8 @@ gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t res, /* this should be first */ if ((ret = _gnutls_read_key_mem(res, key ? key->data : NULL, - key ? key->size : 0, type, pass, - flags, &rkey)) < 0) + key ? key->size : 0, type, pass, + flags, &rkey)) < 0) return ret; if ((ret = read_cert_mem(res, rkey, cert->data, cert->size, type)) < 0) { @@ -704,7 +709,6 @@ gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t res, CRED_RET_SUCCESS(res); } - /** * gnutls_certificate_set_x509_key: * @res: is a #gnutls_certificate_credentials_t type. @@ -736,8 +740,7 @@ gnutls_certificate_set_x509_key_mem2(gnutls_certificate_credentials_t res, int gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, gnutls_x509_crt_t * cert_list, - int cert_list_size, - gnutls_x509_privkey_t key) + int cert_list_size, gnutls_x509_privkey_t key) { int ret; int npcerts = 0; @@ -762,9 +765,7 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, gnutls_privkey_set_pin_function(pkey, res->pin.cb, res->pin.data); - ret = - gnutls_privkey_import_x509(pkey, key, - GNUTLS_PRIVKEY_IMPORT_COPY); + ret = gnutls_privkey_import_x509(pkey, key, GNUTLS_PRIVKEY_IMPORT_COPY); if (ret < 0) { gnutls_assert(); return ret; @@ -785,8 +786,9 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, } ret = - gnutls_pcert_import_x509_list(pcerts, cert_list, (unsigned int*)&cert_list_size, - GNUTLS_X509_CRT_LIST_SORT); + gnutls_pcert_import_x509_list(pcerts, cert_list, + (unsigned int *)&cert_list_size, + GNUTLS_X509_CRT_LIST_SORT); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -794,8 +796,8 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, npcerts = cert_list_size; ret = - _gnutls_certificate_credential_append_keypair(res, pkey, names, pcerts, - npcerts); + _gnutls_certificate_credential_append_keypair(res, pkey, names, + pcerts, npcerts); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -813,7 +815,7 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, CRED_RET_SUCCESS(res); - cleanup: + cleanup: while (npcerts-- > 0) gnutls_pcert_deinit(&pcerts[npcerts]); gnutls_free(pcerts); @@ -848,8 +850,7 @@ gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res, */ int gnutls_certificate_get_x509_key(gnutls_certificate_credentials_t res, - unsigned index, - gnutls_x509_privkey_t *key) + unsigned index, gnutls_x509_privkey_t * key) { if (index >= res->ncerts) { gnutls_assert(); @@ -891,7 +892,7 @@ gnutls_certificate_get_x509_key(gnutls_certificate_credentials_t res, int gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res, unsigned index, - gnutls_x509_crt_t **crt_list, + gnutls_x509_crt_t ** crt_list, unsigned *crt_list_size) { int ret; @@ -905,14 +906,16 @@ gnutls_certificate_get_x509_crt(gnutls_certificate_credentials_t res, *crt_list_size = res->certs[index].cert_list_length; *crt_list = _gnutls_reallocarray(NULL, res->certs[index].cert_list_length, - sizeof (gnutls_x509_crt_t)); + sizeof(gnutls_x509_crt_t)); if (*crt_list == NULL) { gnutls_assert(); return GNUTLS_E_MEMORY_ERROR; } for (i = 0; i < res->certs[index].cert_list_length; ++i) { - ret = gnutls_pcert_export_x509(&res->certs[index].cert_list[i], &(*crt_list)[i]); + ret = + gnutls_pcert_export_x509(&res->certs[index].cert_list[i], + &(*crt_list)[i]); if (ret < 0) { while (i--) gnutls_x509_crt_deinit((*crt_list)[i]); @@ -963,7 +966,7 @@ gnutls_certificate_set_trust_list(gnutls_certificate_credentials_t res, **/ void gnutls_certificate_get_trust_list(gnutls_certificate_credentials_t res, - gnutls_x509_trust_list_t *tlist) + gnutls_x509_trust_list_t * tlist) { *tlist = res->tlist; } @@ -1012,8 +1015,7 @@ gnutls_certificate_set_x509_key_file(gnutls_certificate_credentials_t res, gnutls_x509_crt_fmt_t type) { return gnutls_certificate_set_x509_key_file2(res, certfile, - keyfile, type, NULL, - 0); + keyfile, type, NULL, 0); } /** @@ -1068,7 +1070,8 @@ gnutls_certificate_set_x509_key_file2(gnutls_certificate_credentials_t res, /* this should be first */ - if ((ret = _gnutls_read_key_file(res, keyfile, type, pass, flags, &rkey)) < 0) + if ((ret = + _gnutls_read_key_file(res, keyfile, type, pass, flags, &rkey)) < 0) return ret; if ((ret = read_cert_file(res, rkey, certfile, type)) < 0) { @@ -1110,10 +1113,11 @@ gnutls_certificate_set_x509_trust_mem(gnutls_certificate_credentials_t res, const gnutls_datum_t * ca, gnutls_x509_crt_fmt_t type) { -int ret; + int ret; ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, ca, NULL, - type, GNUTLS_TL_USE_IN_TLS, 0); + type, GNUTLS_TL_USE_IN_TLS, + 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1143,8 +1147,7 @@ int ret; **/ int gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, - gnutls_x509_crt_t * ca_list, - int ca_list_size) + gnutls_x509_crt_t * ca_list, int ca_list_size) { int ret, i, j; gnutls_x509_crt_t *new_list; @@ -1182,7 +1185,7 @@ gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, gnutls_free(new_list); return ret; - cleanup: + cleanup: for (j = 0; j < i; j++) gnutls_x509_crt_deinit(new_list[j]); gnutls_free(new_list); @@ -1190,7 +1193,6 @@ gnutls_certificate_set_x509_trust(gnutls_certificate_credentials_t res, return ret; } - /** * gnutls_certificate_set_x509_trust_file: * @cred: is a #gnutls_certificate_credentials_t type. @@ -1218,10 +1220,11 @@ gnutls_certificate_set_x509_trust_file(gnutls_certificate_credentials_t cred, const char *cafile, gnutls_x509_crt_fmt_t type) { -int ret; + int ret; ret = gnutls_x509_trust_list_add_trust_file(cred->tlist, cafile, NULL, - type, GNUTLS_TL_USE_IN_TLS, 0); + type, GNUTLS_TL_USE_IN_TLS, + 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1249,10 +1252,11 @@ gnutls_certificate_set_x509_trust_dir(gnutls_certificate_credentials_t cred, const char *ca_dir, gnutls_x509_crt_fmt_t type) { -int ret; + int ret; ret = gnutls_x509_trust_list_add_trust_dir(cred->tlist, ca_dir, NULL, - type, GNUTLS_TL_USE_IN_TLS, 0); + type, GNUTLS_TL_USE_IN_TLS, + 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1275,11 +1279,10 @@ int ret; * Since: 3.0.20 **/ int -gnutls_certificate_set_x509_system_trust(gnutls_certificate_credentials_t - cred) +gnutls_certificate_set_x509_system_trust(gnutls_certificate_credentials_t cred) { return gnutls_x509_trust_list_add_system_trust(cred->tlist, - GNUTLS_TL_USE_IN_TLS, 0); + GNUTLS_TL_USE_IN_TLS, 0); } /** @@ -1305,10 +1308,10 @@ gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t res, int ret; if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) - flags |= GNUTLS_TL_VERIFY_CRL|GNUTLS_TL_FAIL_ON_INVALID_CRL; + flags |= GNUTLS_TL_VERIFY_CRL | GNUTLS_TL_FAIL_ON_INVALID_CRL; ret = gnutls_x509_trust_list_add_trust_mem(res->tlist, NULL, CRL, - type, flags, 0); + type, flags, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1333,8 +1336,7 @@ gnutls_certificate_set_x509_crl_mem(gnutls_certificate_credentials_t res, **/ int gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, - gnutls_x509_crl_t * crl_list, - int crl_list_size) + gnutls_x509_crl_t * crl_list, int crl_list_size) { int ret, i, j; gnutls_x509_crl_t *new_crl; @@ -1342,7 +1344,7 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, flags = GNUTLS_TL_USE_IN_TLS; if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) - flags |= GNUTLS_TL_VERIFY_CRL|GNUTLS_TL_FAIL_ON_INVALID_CRL; + flags |= GNUTLS_TL_VERIFY_CRL | GNUTLS_TL_FAIL_ON_INVALID_CRL; new_crl = _gnutls_reallocarray(NULL, crl_list_size, sizeof(gnutls_x509_crl_t)); @@ -1365,7 +1367,7 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, ret = gnutls_x509_trust_list_add_crls(res->tlist, new_crl, - crl_list_size, flags, 0); + crl_list_size, flags, 0); if (ret < 0) { gnutls_assert(); goto cleanup; @@ -1374,7 +1376,7 @@ gnutls_certificate_set_x509_crl(gnutls_certificate_credentials_t res, free(new_crl); return ret; - cleanup: + cleanup: for (j = 0; j < i; j++) gnutls_x509_crl_deinit(new_crl[j]); free(new_crl); @@ -1405,10 +1407,10 @@ gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t res, unsigned flags = GNUTLS_TL_USE_IN_TLS; if (res->flags & GNUTLS_CERTIFICATE_VERIFY_CRLS) - flags |= GNUTLS_TL_VERIFY_CRL|GNUTLS_TL_FAIL_ON_INVALID_CRL; + flags |= GNUTLS_TL_VERIFY_CRL | GNUTLS_TL_FAIL_ON_INVALID_CRL; ret = gnutls_x509_trust_list_add_trust_file(res->tlist, NULL, crlfile, - type, flags, 0); + type, flags, 0); if (ret == GNUTLS_E_NO_CERTIFICATE_FOUND) return 0; @@ -1417,7 +1419,6 @@ gnutls_certificate_set_x509_crl_file(gnutls_certificate_credentials_t res, #include <gnutls/pkcs12.h> - /** * gnutls_certificate_set_x509_simple_pkcs12_file: * @res: is a #gnutls_certificate_credentials_t type. @@ -1464,9 +1465,9 @@ int size_t size; int ret; - p12blob.data = (void *) read_file(pkcs12file, RF_BINARY | RF_SENSITIVE, - &size); - p12blob.size = (unsigned int) size; + p12blob.data = (void *)read_file(pkcs12file, RF_BINARY | RF_SENSITIVE, + &size); + p12blob.size = (unsigned int)size; if (p12blob.data == NULL) { gnutls_assert(); return GNUTLS_E_FILE_ERROR; @@ -1591,7 +1592,7 @@ int else ret = 0; - done: + done: if (chain) { for (i = 0; i < chain_size; i++) gnutls_x509_crt_deinit(chain[i]); @@ -1605,8 +1606,6 @@ int return ret; } - - /** * gnutls_certificate_free_crls: * @sc: is a #gnutls_certificate_credentials_t type. |