diff options
Diffstat (limited to 'lib/gnutls_cert.c')
-rw-r--r-- | lib/gnutls_cert.c | 834 |
1 files changed, 425 insertions, 409 deletions
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 285d5dffbc..07514edffc 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -53,33 +53,29 @@ * TLS negotiation that uses the credentials is in progress. * **/ -void -gnutls_certificate_free_keys (gnutls_certificate_credentials_t sc) +void gnutls_certificate_free_keys(gnutls_certificate_credentials_t sc) { - unsigned i, j; - - for (i = 0; i < sc->ncerts; i++) - { - for (j = 0; j < sc->certs[i].cert_list_length; j++) - { - gnutls_pcert_deinit (&sc->certs[i].cert_list[j]); - } - gnutls_free (sc->certs[i].cert_list); - _gnutls_str_array_clear (&sc->certs[i].names); - } - - gnutls_free (sc->certs); - sc->certs = NULL; - - for (i = 0; i < sc->ncerts; i++) - { - gnutls_privkey_deinit (sc->pkey[i]); - } - - gnutls_free (sc->pkey); - sc->pkey = NULL; - - sc->ncerts = 0; + unsigned i, j; + + for (i = 0; i < sc->ncerts; i++) { + for (j = 0; j < sc->certs[i].cert_list_length; j++) { + gnutls_pcert_deinit(&sc->certs[i].cert_list[j]); + } + gnutls_free(sc->certs[i].cert_list); + _gnutls_str_array_clear(&sc->certs[i].names); + } + + gnutls_free(sc->certs); + sc->certs = NULL; + + for (i = 0; i < sc->ncerts; i++) { + gnutls_privkey_deinit(sc->pkey[i]); + } + + gnutls_free(sc->pkey); + sc->pkey = NULL; + + sc->ncerts = 0; } /** @@ -91,11 +87,10 @@ gnutls_certificate_free_keys (gnutls_certificate_credentials_t sc) * gnutls_certificate_verify_peers2() may call this to save some * memory. **/ -void -gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc) +void gnutls_certificate_free_cas(gnutls_certificate_credentials_t sc) { - /* FIXME: do nothing for now */ - return; + /* FIXME: do nothing for now */ + return; } /** @@ -113,10 +108,13 @@ gnutls_certificate_free_cas (gnutls_certificate_credentials_t sc) * Since: 3.0 **/ int -gnutls_certificate_get_issuer (gnutls_certificate_credentials_t sc, - gnutls_x509_crt_t cert, gnutls_x509_crt_t* issuer, unsigned int flags) +gnutls_certificate_get_issuer(gnutls_certificate_credentials_t sc, + gnutls_x509_crt_t cert, + gnutls_x509_crt_t * issuer, + unsigned int flags) { - return gnutls_x509_trust_list_get_issuer(sc->tlist, cert, issuer, flags); + return gnutls_x509_trust_list_get_issuer(sc->tlist, cert, issuer, + flags); } /** @@ -138,21 +136,24 @@ gnutls_certificate_get_issuer (gnutls_certificate_credentials_t sc, * Since: 3.2.5 **/ int -gnutls_certificate_get_crt_raw (gnutls_certificate_credentials_t sc, - unsigned idx1, - unsigned idx2, - gnutls_datum_t * cert) +gnutls_certificate_get_crt_raw(gnutls_certificate_credentials_t sc, + unsigned idx1, + unsigned idx2, gnutls_datum_t * cert) { - if (idx1 >= sc->ncerts) - return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + if (idx1 >= sc->ncerts) + return + gnutls_assert_val + (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - if (idx2 >= sc->certs[idx1].cert_list_length) - return gnutls_assert_val(GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); + if (idx2 >= sc->certs[idx1].cert_list_length) + return + gnutls_assert_val + (GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE); - cert->data = sc->certs[idx1].cert_list[idx2].cert.data; - cert->size = sc->certs[idx1].cert_list[idx2].cert.size; + cert->data = sc->certs[idx1].cert_list[idx2].cert.data; + cert->size = sc->certs[idx1].cert_list[idx2].cert.size; - return 0; + return 0; } /** @@ -169,10 +170,9 @@ gnutls_certificate_get_crt_raw (gnutls_certificate_credentials_t sc, * CA names are used by servers to advertise the CAs they support to * clients. **/ -void -gnutls_certificate_free_ca_names (gnutls_certificate_credentials_t sc) +void gnutls_certificate_free_ca_names(gnutls_certificate_credentials_t sc) { - _gnutls_free_datum (&sc->x509_rdn_sequence); + _gnutls_free_datum(&sc->x509_rdn_sequence); } @@ -188,18 +188,18 @@ gnutls_certificate_free_ca_names (gnutls_certificate_credentials_t sc) * function). **/ void -gnutls_certificate_free_credentials (gnutls_certificate_credentials_t sc) +gnutls_certificate_free_credentials(gnutls_certificate_credentials_t sc) { - gnutls_x509_trust_list_deinit(sc->tlist, 1); - gnutls_certificate_free_keys (sc); - gnutls_certificate_free_ca_names (sc); - gnutls_free(sc->ocsp_response_file); - memset(sc->pin_tmp, 0, sizeof(sc->pin_tmp)); + gnutls_x509_trust_list_deinit(sc->tlist, 1); + gnutls_certificate_free_keys(sc); + gnutls_certificate_free_ca_names(sc); + gnutls_free(sc->ocsp_response_file); + memset(sc->pin_tmp, 0, sizeof(sc->pin_tmp)); #ifdef ENABLE_OPENPGP - gnutls_openpgp_keyring_deinit (sc->keyring); + gnutls_openpgp_keyring_deinit(sc->keyring); #endif - gnutls_free (sc); + gnutls_free(sc); } @@ -213,27 +213,26 @@ gnutls_certificate_free_credentials (gnutls_certificate_credentials_t sc) * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int -gnutls_certificate_allocate_credentials (gnutls_certificate_credentials_t * - res) +gnutls_certificate_allocate_credentials(gnutls_certificate_credentials_t * + res) { -int ret; + int ret; - *res = gnutls_calloc (1, sizeof (certificate_credentials_st)); + *res = gnutls_calloc(1, sizeof(certificate_credentials_st)); - if (*res == NULL) - return GNUTLS_E_MEMORY_ERROR; + if (*res == NULL) + return GNUTLS_E_MEMORY_ERROR; - ret = gnutls_x509_trust_list_init( &(*res)->tlist, 0); - if (ret < 0) - { - gnutls_assert(); - gnutls_free(*res); - return GNUTLS_E_MEMORY_ERROR; - } - (*res)->verify_bits = DEFAULT_MAX_VERIFY_BITS; - (*res)->verify_depth = DEFAULT_MAX_VERIFY_DEPTH; + ret = gnutls_x509_trust_list_init(&(*res)->tlist, 0); + if (ret < 0) { + gnutls_assert(); + gnutls_free(*res); + return GNUTLS_E_MEMORY_ERROR; + } + (*res)->verify_bits = DEFAULT_MAX_VERIFY_BITS; + (*res)->verify_depth = DEFAULT_MAX_VERIFY_DEPTH; - return 0; + return 0; } @@ -244,51 +243,48 @@ int ret; * extensions in order to disable unneded algorithms. */ int -_gnutls_selected_cert_supported_kx (gnutls_session_t session, - gnutls_kx_algorithm_t * alg, - int *alg_size) +_gnutls_selected_cert_supported_kx(gnutls_session_t session, + gnutls_kx_algorithm_t * alg, + int *alg_size) { - gnutls_kx_algorithm_t kx; - gnutls_pk_algorithm_t pk, cert_pk; - gnutls_pcert_st *cert; - int i; - - if (session->internals.selected_cert_list_length == 0) - { - *alg_size = 0; - return 0; - } - - cert = &session->internals.selected_cert_list[0]; - cert_pk = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL); - i = 0; - - for (kx = 0; kx < MAX_ALGOS; kx++) - { - pk = _gnutls_map_pk_get_pk (kx); - if (pk == cert_pk) - { - /* then check key usage */ - if (_gnutls_check_key_usage (cert, kx) == 0) - { - alg[i] = kx; - i++; - - if (i > *alg_size) - return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR); - } - } - } - - if (i == 0) - { - gnutls_assert (); - return GNUTLS_E_INVALID_REQUEST; - } - - *alg_size = i; - - return 0; + gnutls_kx_algorithm_t kx; + gnutls_pk_algorithm_t pk, cert_pk; + gnutls_pcert_st *cert; + int i; + + if (session->internals.selected_cert_list_length == 0) { + *alg_size = 0; + return 0; + } + + cert = &session->internals.selected_cert_list[0]; + cert_pk = gnutls_pubkey_get_pk_algorithm(cert->pubkey, NULL); + i = 0; + + for (kx = 0; kx < MAX_ALGOS; kx++) { + pk = _gnutls_map_pk_get_pk(kx); + if (pk == cert_pk) { + /* then check key usage */ + if (_gnutls_check_key_usage(cert, kx) == 0) { + alg[i] = kx; + i++; + + if (i > *alg_size) + return + gnutls_assert_val + (GNUTLS_E_INTERNAL_ERROR); + } + } + } + + if (i == 0) { + gnutls_assert(); + return GNUTLS_E_INVALID_REQUEST; + } + + *alg_size = i; + + return 0; } @@ -304,10 +300,10 @@ _gnutls_selected_cert_supported_kx (gnutls_session_t session, * function then the client will not be asked to send a certificate. **/ void -gnutls_certificate_server_set_request (gnutls_session_t session, - gnutls_certificate_request_t req) +gnutls_certificate_server_set_request(gnutls_session_t session, + gnutls_certificate_request_t req) { - session->internals.send_cert_req = req; + session->internals.send_cert_req = req; } /** @@ -345,10 +341,9 @@ gnutls_certificate_server_set_request (gnutls_session_t session, * indicates error and the handshake will be terminated. **/ void gnutls_certificate_client_set_retrieve_function - (gnutls_certificate_credentials_t cred, - gnutls_certificate_client_retrieve_function * func) -{ - cred->client_get_cert_callback = func; + (gnutls_certificate_credentials_t cred, + gnutls_certificate_client_retrieve_function * func) { + cred->client_get_cert_callback = func; } /** @@ -374,10 +369,9 @@ void gnutls_certificate_client_set_retrieve_function * will be terminated. **/ void gnutls_certificate_server_set_retrieve_function - (gnutls_certificate_credentials_t cred, - gnutls_certificate_server_retrieve_function * func) -{ - cred->server_get_cert_callback = func; + (gnutls_certificate_credentials_t cred, + gnutls_certificate_server_retrieve_function * func) { + cred->server_get_cert_callback = func; } /** @@ -418,10 +412,9 @@ void gnutls_certificate_server_set_retrieve_function * Since: 3.0 **/ void gnutls_certificate_set_retrieve_function - (gnutls_certificate_credentials_t cred, - gnutls_certificate_retrieve_function * func) -{ - cred->get_cert_callback = func; + (gnutls_certificate_credentials_t cred, + gnutls_certificate_retrieve_function * func) { + cred->get_cert_callback = func; } /** @@ -465,10 +458,9 @@ void gnutls_certificate_set_retrieve_function * Since: 3.0 **/ void gnutls_certificate_set_retrieve_function2 - (gnutls_certificate_credentials_t cred, - gnutls_certificate_retrieve_function2 * func) -{ - cred->get_cert_callback2 = func; + (gnutls_certificate_credentials_t cred, + gnutls_certificate_retrieve_function2 * func) { + cred->get_cert_callback2 = func; } /** @@ -495,11 +487,10 @@ void gnutls_certificate_set_retrieve_function2 * Since: 2.10.0 **/ void - gnutls_certificate_set_verify_function - (gnutls_certificate_credentials_t cred, - gnutls_certificate_verify_function * func) -{ - cred->verify_callback = func; + gnutls_certificate_set_verify_function + (gnutls_certificate_credentials_t cred, + gnutls_certificate_verify_function * func) { + cred->verify_callback = func; } /*- @@ -513,27 +504,26 @@ void * -*/ static time_t -_gnutls_x509_get_raw_crt_activation_time (const gnutls_datum_t * cert) +_gnutls_x509_get_raw_crt_activation_time(const gnutls_datum_t * cert) { - gnutls_x509_crt_t xcert; - time_t result; + gnutls_x509_crt_t xcert; + time_t result; - result = gnutls_x509_crt_init (&xcert); - if (result < 0) - return (time_t) - 1; + result = gnutls_x509_crt_init(&xcert); + if (result < 0) + return (time_t) - 1; - result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) - { - gnutls_x509_crt_deinit (xcert); - return (time_t) - 1; - } + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); + return (time_t) - 1; + } - result = gnutls_x509_crt_get_activation_time (xcert); + result = gnutls_x509_crt_get_activation_time(xcert); - gnutls_x509_crt_deinit (xcert); + gnutls_x509_crt_deinit(xcert); - return result; + return result; } /*- @@ -547,27 +537,26 @@ _gnutls_x509_get_raw_crt_activation_time (const gnutls_datum_t * cert) * -*/ static time_t -_gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t * cert) +_gnutls_x509_get_raw_crt_expiration_time(const gnutls_datum_t * cert) { - gnutls_x509_crt_t xcert; - time_t result; + gnutls_x509_crt_t xcert; + time_t result; - result = gnutls_x509_crt_init (&xcert); - if (result < 0) - return (time_t) - 1; + result = gnutls_x509_crt_init(&xcert); + if (result < 0) + return (time_t) - 1; - result = gnutls_x509_crt_import (xcert, cert, GNUTLS_X509_FMT_DER); - if (result < 0) - { - gnutls_x509_crt_deinit (xcert); - return (time_t) - 1; - } + result = gnutls_x509_crt_import(xcert, cert, GNUTLS_X509_FMT_DER); + if (result < 0) { + gnutls_x509_crt_deinit(xcert); + return (time_t) - 1; + } - result = gnutls_x509_crt_get_expiration_time (xcert); + result = gnutls_x509_crt_get_expiration_time(xcert); - gnutls_x509_crt_deinit (xcert); + gnutls_x509_crt_deinit(xcert); - return result; + return result; } #ifdef ENABLE_OPENPGP @@ -579,58 +568,55 @@ _gnutls_x509_get_raw_crt_expiration_time (const gnutls_datum_t * cert) * Returns a negative error code in case of an error, or GNUTLS_E_NO_CERTIFICATE_FOUND if no certificate was sent. -*/ static int -_gnutls_openpgp_crt_verify_peers (gnutls_session_t session, - const char* hostname, - unsigned int *status) +_gnutls_openpgp_crt_verify_peers(gnutls_session_t session, + const char *hostname, + unsigned int *status) { - cert_auth_info_t info; - gnutls_certificate_credentials_t cred; - int peer_certificate_list_size, ret; - - CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info (session); - if (info == NULL) - return GNUTLS_E_INVALID_REQUEST; - - cred = (gnutls_certificate_credentials_t) - _gnutls_get_cred (session, GNUTLS_CRD_CERTIFICATE, NULL); - if (cred == NULL) - { - gnutls_assert (); - return GNUTLS_E_INSUFFICIENT_CREDENTIALS; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) - { - gnutls_assert (); - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } - - /* generate a list of gnutls_certs based on the auth info - * raw certs. - */ - peer_certificate_list_size = info->ncerts; - - if (peer_certificate_list_size != 1) - { - gnutls_assert (); - return GNUTLS_E_INTERNAL_ERROR; - } - - /* Verify certificate - */ - ret = - _gnutls_openpgp_verify_key (cred, hostname, &info->raw_certificate_list[0], - peer_certificate_list_size, status); - - if (ret < 0) - { - gnutls_assert (); - return ret; - } - - return 0; + cert_auth_info_t info; + gnutls_certificate_credentials_t cred; + int peer_certificate_list_size, ret; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) + return GNUTLS_E_INVALID_REQUEST; + + cred = (gnutls_certificate_credentials_t) + _gnutls_get_cred(session, GNUTLS_CRD_CERTIFICATE, NULL); + if (cred == NULL) { + gnutls_assert(); + return GNUTLS_E_INSUFFICIENT_CREDENTIALS; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) { + gnutls_assert(); + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } + + /* generate a list of gnutls_certs based on the auth info + * raw certs. + */ + peer_certificate_list_size = info->ncerts; + + if (peer_certificate_list_size != 1) { + gnutls_assert(); + return GNUTLS_E_INTERNAL_ERROR; + } + + /* Verify certificate + */ + ret = + _gnutls_openpgp_verify_key(cred, hostname, + &info->raw_certificate_list[0], + peer_certificate_list_size, status); + + if (ret < 0) { + gnutls_assert(); + return ret; + } + + return 0; } #endif @@ -659,33 +645,33 @@ _gnutls_openpgp_crt_verify_peers (gnutls_session_t session, * Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success. **/ int -gnutls_certificate_verify_peers2 (gnutls_session_t session, - unsigned int *status) +gnutls_certificate_verify_peers2(gnutls_session_t session, + unsigned int *status) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - info = _gnutls_get_auth_info (session); - if (info == NULL) - { - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } + info = _gnutls_get_auth_info(session); + if (info == NULL) { + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } - if (info->raw_certificate_list == NULL || info->ncerts == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; + if (info->raw_certificate_list == NULL || info->ncerts == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; - switch (gnutls_certificate_type_get (session)) - { - case GNUTLS_CRT_X509: - return _gnutls_x509_cert_verify_peers (session, NULL, status); + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + return _gnutls_x509_cert_verify_peers(session, NULL, + status); #ifdef ENABLE_OPENPGP - case GNUTLS_CRT_OPENPGP: - return _gnutls_openpgp_crt_verify_peers (session, NULL, status); + case GNUTLS_CRT_OPENPGP: + return _gnutls_openpgp_crt_verify_peers(session, NULL, + status); #endif - default: - return GNUTLS_E_INVALID_REQUEST; - } + default: + return GNUTLS_E_INVALID_REQUEST; + } } /** @@ -716,34 +702,34 @@ gnutls_certificate_verify_peers2 (gnutls_session_t session, * Since: 3.1.4 **/ int -gnutls_certificate_verify_peers3 (gnutls_session_t session, - const char* hostname, - unsigned int *status) +gnutls_certificate_verify_peers3(gnutls_session_t session, + const char *hostname, + unsigned int *status) { - cert_auth_info_t info; + cert_auth_info_t info; - CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - info = _gnutls_get_auth_info (session); - if (info == NULL) - { - return GNUTLS_E_NO_CERTIFICATE_FOUND; - } + info = _gnutls_get_auth_info(session); + if (info == NULL) { + return GNUTLS_E_NO_CERTIFICATE_FOUND; + } - if (info->raw_certificate_list == NULL || info->ncerts == 0) - return GNUTLS_E_NO_CERTIFICATE_FOUND; + if (info->raw_certificate_list == NULL || info->ncerts == 0) + return GNUTLS_E_NO_CERTIFICATE_FOUND; - switch (gnutls_certificate_type_get (session)) - { - case GNUTLS_CRT_X509: - return _gnutls_x509_cert_verify_peers (session, hostname, status); + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + return _gnutls_x509_cert_verify_peers(session, hostname, + status); #ifdef ENABLE_OPENPGP - case GNUTLS_CRT_OPENPGP: - return _gnutls_openpgp_crt_verify_peers (session, hostname, status); + case GNUTLS_CRT_OPENPGP: + return _gnutls_openpgp_crt_verify_peers(session, hostname, + status); #endif - default: - return GNUTLS_E_INVALID_REQUEST; - } + default: + return GNUTLS_E_INVALID_REQUEST; + } } /** @@ -756,40 +742,37 @@ gnutls_certificate_verify_peers3 (gnutls_session_t session, * * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times. **/ -time_t -gnutls_certificate_expiration_time_peers (gnutls_session_t session) +time_t gnutls_certificate_expiration_time_peers(gnutls_session_t session) { - cert_auth_info_t info; - - CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info (session); - if (info == NULL) - { - return (time_t) - 1; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) - { - gnutls_assert (); - return (time_t) - 1; - } - - switch (gnutls_certificate_type_get (session)) - { - case GNUTLS_CRT_X509: - return - _gnutls_x509_get_raw_crt_expiration_time (&info->raw_certificate_list - [0]); + cert_auth_info_t info; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) { + return (time_t) - 1; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) { + gnutls_assert(); + return (time_t) - 1; + } + + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + return + _gnutls_x509_get_raw_crt_expiration_time(&info-> + raw_certificate_list + [0]); #ifdef ENABLE_OPENPGP - case GNUTLS_CRT_OPENPGP: - return - _gnutls_openpgp_get_raw_key_expiration_time - (&info->raw_certificate_list[0]); + case GNUTLS_CRT_OPENPGP: + return + _gnutls_openpgp_get_raw_key_expiration_time + (&info->raw_certificate_list[0]); #endif - default: - return (time_t) - 1; - } + default: + return (time_t) - 1; + } } /** @@ -803,40 +786,38 @@ gnutls_certificate_expiration_time_peers (gnutls_session_t session) * * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times. **/ -time_t -gnutls_certificate_activation_time_peers (gnutls_session_t session) +time_t gnutls_certificate_activation_time_peers(gnutls_session_t session) { - cert_auth_info_t info; - - CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); - - info = _gnutls_get_auth_info (session); - if (info == NULL) - { - return (time_t) - 1; - } - - if (info->raw_certificate_list == NULL || info->ncerts == 0) - { - gnutls_assert (); - return (time_t) - 1; - } - - switch (gnutls_certificate_type_get (session)) - { - case GNUTLS_CRT_X509: - return - _gnutls_x509_get_raw_crt_activation_time (&info->raw_certificate_list - [0]); + cert_auth_info_t info; + + CHECK_AUTH(GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST); + + info = _gnutls_get_auth_info(session); + if (info == NULL) { + return (time_t) - 1; + } + + if (info->raw_certificate_list == NULL || info->ncerts == 0) { + gnutls_assert(); + return (time_t) - 1; + } + + switch (gnutls_certificate_type_get(session)) { + case GNUTLS_CRT_X509: + return + _gnutls_x509_get_raw_crt_activation_time(&info-> + raw_certificate_list + [0]); #ifdef ENABLE_OPENPGP - case GNUTLS_CRT_OPENPGP: - return - _gnutls_openpgp_get_raw_key_creation_time (&info->raw_certificate_list - [0]); + case GNUTLS_CRT_OPENPGP: + return + _gnutls_openpgp_get_raw_key_creation_time(&info-> + raw_certificate_list + [0]); #endif - default: - return (time_t) - 1; - } + default: + return (time_t) - 1; + } } /** @@ -861,11 +842,11 @@ gnutls_certificate_activation_time_peers (gnutls_session_t session) * Deprecated: Use the PKCS 11 or #gnutls_privkey_t interfacess like gnutls_privkey_import_ext() instead. **/ void -gnutls_sign_callback_set (gnutls_session_t session, - gnutls_sign_func sign_func, void *userdata) +gnutls_sign_callback_set(gnutls_session_t session, + gnutls_sign_func sign_func, void *userdata) { - session->internals.sign_func = sign_func; - session->internals.sign_func_userdata = userdata; + session->internals.sign_func = sign_func; + session->internals.sign_func_userdata = userdata; } /** @@ -881,29 +862,31 @@ gnutls_sign_callback_set (gnutls_session_t session, * Deprecated: Use the PKCS 11 interfaces instead. **/ gnutls_sign_func -gnutls_sign_callback_get (gnutls_session_t session, void **userdata) +gnutls_sign_callback_get(gnutls_session_t session, void **userdata) { - if (userdata) - *userdata = session->internals.sign_func_userdata; - return session->internals.sign_func; + if (userdata) + *userdata = session->internals.sign_func_userdata; + return session->internals.sign_func; } /* returns error if the certificate has different algorithm than * the given key parameters. */ -int -_gnutls_check_key_cert_match (gnutls_certificate_credentials_t res) +int _gnutls_check_key_cert_match(gnutls_certificate_credentials_t res) { - int pk = gnutls_pubkey_get_pk_algorithm(res->certs[res->ncerts-1].cert_list[0].pubkey, NULL); - int pk2 = gnutls_privkey_get_pk_algorithm (res->pkey[res->ncerts - 1], NULL); - - if (pk2 != pk) - { - gnutls_assert (); - return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; - } - - return 0; + int pk = + gnutls_pubkey_get_pk_algorithm(res->certs[res->ncerts - 1]. + cert_list[0].pubkey, NULL); + int pk2 = + gnutls_privkey_get_pk_algorithm(res->pkey[res->ncerts - 1], + NULL); + + if (pk2 != pk) { + gnutls_assert(); + return GNUTLS_E_CERTIFICATE_KEY_MISMATCH; + } + + return 0; } /** @@ -924,71 +907,104 @@ _gnutls_check_key_cert_match (gnutls_certificate_credentials_t res) * Since: 3.1.4 **/ int -gnutls_certificate_verification_status_print (unsigned int status, - gnutls_certificate_type_t type, - gnutls_datum_t * out, unsigned int flags) +gnutls_certificate_verification_status_print(unsigned int status, + gnutls_certificate_type_t + type, gnutls_datum_t * out, + unsigned int flags) { - gnutls_buffer_st str; - int ret; - - _gnutls_buffer_init (&str); - - if (status == 0) - _gnutls_buffer_append_str (&str, _("The certificate is trusted. ")); - else - _gnutls_buffer_append_str (&str, _("The certificate is NOT trusted. ")); - - if (type == GNUTLS_CRT_X509) - { - if (status & GNUTLS_CERT_REVOKED) - _gnutls_buffer_append_str (&str, _("The certificate chain is revoked. ")); - - if (status & GNUTLS_CERT_MISMATCH) - _gnutls_buffer_append_str (&str, _("The certificate doesn't match the local copy (TOFU). ")); - - if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED) - _gnutls_buffer_append_str (&str, _("The revocation data are old and have been superseded. ")); - - if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE) - _gnutls_buffer_append_str (&str, _("The revocation data are issued with a future date. ")); - - if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - _gnutls_buffer_append_str (&str, _("The certificate issuer is unknown. ")); - - if (status & GNUTLS_CERT_SIGNER_NOT_CA) - _gnutls_buffer_append_str (&str, _("The certificate issuer is not a CA. ")); - } - else if (type == GNUTLS_CRT_OPENPGP) - { - _gnutls_buffer_append_str (&str, _("The certificate is not trusted. ")); - - if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) - _gnutls_buffer_append_str (&str, _("Could not find a signer of the certificate. ")); - - if (status & GNUTLS_CERT_REVOKED) - _gnutls_buffer_append_str (&str, _("The certificate is revoked. ")); - } - - if (status & GNUTLS_CERT_INSECURE_ALGORITHM) - _gnutls_buffer_append_str (&str, _("The certificate chain uses insecure algorithm. ")); - - if (status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE) - _gnutls_buffer_append_str (&str, _("The certificate chain violates the signer's constraints. ")); - - if (status & GNUTLS_CERT_NOT_ACTIVATED) - _gnutls_buffer_append_str (&str, _("The certificate chain uses not yet valid certificate. ")); - - if (status & GNUTLS_CERT_EXPIRED) - _gnutls_buffer_append_str (&str, _("The certificate chain uses expired certificate. ")); - - if (status & GNUTLS_CERT_SIGNATURE_FAILURE) - _gnutls_buffer_append_str (&str, _("The signature in the certificate is invalid. ")); - - if (status & GNUTLS_CERT_UNEXPECTED_OWNER) - _gnutls_buffer_append_str (&str, _("The name in the certificate does not match the expected. ")); - - ret = _gnutls_buffer_to_datum( &str, out); - if (out->size > 0) out->size--; - - return ret; + gnutls_buffer_st str; + int ret; + + _gnutls_buffer_init(&str); + + if (status == 0) + _gnutls_buffer_append_str(&str, + _ + ("The certificate is trusted. ")); + else + _gnutls_buffer_append_str(&str, + _ + ("The certificate is NOT trusted. ")); + + if (type == GNUTLS_CRT_X509) { + if (status & GNUTLS_CERT_REVOKED) + _gnutls_buffer_append_str(&str, + _ + ("The certificate chain is revoked. ")); + + if (status & GNUTLS_CERT_MISMATCH) + _gnutls_buffer_append_str(&str, + _ + ("The certificate doesn't match the local copy (TOFU). ")); + + if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED) + _gnutls_buffer_append_str(&str, + _ + ("The revocation data are old and have been superseded. ")); + + if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE) + _gnutls_buffer_append_str(&str, + _ + ("The revocation data are issued with a future date. ")); + + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) + _gnutls_buffer_append_str(&str, + _ + ("The certificate issuer is unknown. ")); + + if (status & GNUTLS_CERT_SIGNER_NOT_CA) + _gnutls_buffer_append_str(&str, + _ + ("The certificate issuer is not a CA. ")); + } else if (type == GNUTLS_CRT_OPENPGP) { + _gnutls_buffer_append_str(&str, + _ + ("The certificate is not trusted. ")); + + if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) + _gnutls_buffer_append_str(&str, + _ + ("Could not find a signer of the certificate. ")); + + if (status & GNUTLS_CERT_REVOKED) + _gnutls_buffer_append_str(&str, + _ + ("The certificate is revoked. ")); + } + + if (status & GNUTLS_CERT_INSECURE_ALGORITHM) + _gnutls_buffer_append_str(&str, + _ + ("The certificate chain uses insecure algorithm. ")); + + if (status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE) + _gnutls_buffer_append_str(&str, + _ + ("The certificate chain violates the signer's constraints. ")); + + if (status & GNUTLS_CERT_NOT_ACTIVATED) + _gnutls_buffer_append_str(&str, + _ + ("The certificate chain uses not yet valid certificate. ")); + + if (status & GNUTLS_CERT_EXPIRED) + _gnutls_buffer_append_str(&str, + _ + ("The certificate chain uses expired certificate. ")); + + if (status & GNUTLS_CERT_SIGNATURE_FAILURE) + _gnutls_buffer_append_str(&str, + _ + ("The signature in the certificate is invalid. ")); + + if (status & GNUTLS_CERT_UNEXPECTED_OWNER) + _gnutls_buffer_append_str(&str, + _ + ("The name in the certificate does not match the expected. ")); + + ret = _gnutls_buffer_to_datum(&str, out); + if (out->size > 0) + out->size--; + + return ret; } |