www.gitorious.org Git - gnutls:gnutls.git/blob

1 /*

3 *

4 * Author: Nikos Mavrogiannopoulos

5 *

6 * This file is part of GnuTLS.

7 *

8 * The GnuTLS is free software; you can redistribute it and/or

9 * modify it under the terms of the GNU Lesser General Public License

10 * as published by the Free Software Foundation; either version 2.1 of

11 * the License, or (at your option) any later version.

12 *

13 * This library is distributed in the hope that it will be useful, but

14 * WITHOUT ANY WARRANTY; without even the implied warranty of

15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

16 * Lesser General Public License for more details.

17 *

18 * You should have received a copy of the GNU Lesser General Public License

19 * along with this program. If not, see <http://www.gnu.org/licenses/>

20 *

21 */

23 #include <gnutls_int.h>

24 #include <gnutls_errors.h>

25 #include <libtasn1.h>

26 #include <gnutls_global.h>

27 #include <gnutls_num.h>

28 #include <gnutls_sig.h>

29 #include <gnutls_str.h>

30 #include <gnutls_datum.h>

31 #include "x509_int.h"

32 #include <common.h>

33 #include "verify-high.h"

34 #include "read-file.h"

36 /* Convenience functions for verify-high functionality

37 */

39 /**

40 * gnutls_x509_trust_list_add_trust_mem:

41 * @list: The structure of the list

42 * @cas: A buffer containing a list of CAs (optional)

43 * @crls: A buffer containing a list of CRLs (optional)

44 * @type: The format of the certificates

45 * @tl_flags: GNUTLS_TL_*

46 * @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL

47 *

48 * This function will add the given certificate authorities

49 * to the trusted list.

50 *

51 * Returns: The number of added elements is returned.

52 *

53 * Since: 3.1

54 **/

55 int

56 gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list,

57 const gnutls_datum_t * cas,

58 const gnutls_datum_t * crls,

59 gnutls_x509_crt_fmt_t type,

60 unsigned int tl_flags,

61 unsigned int tl_vflags)

62 {

63 int ret;

64 gnutls_x509_crt_t *x509_ca_list = NULL;

65 gnutls_x509_crl_t *x509_crl_list = NULL;

66 unsigned int x509_ncas, x509_ncrls;

67 unsigned int r = 0;

69 if (cas != NULL && cas->data != NULL) {

70 ret =

71 gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas,

72 cas, type, 0);

73 if (ret < 0)

74 return gnutls_assert_val(ret);

76 ret =

77 gnutls_x509_trust_list_add_cas(list, x509_ca_list,

78 x509_ncas, tl_flags);

79 gnutls_free(x509_ca_list);

81 if (ret < 0)

82 return gnutls_assert_val(ret);

83 else

84 r += ret;

85 }

87 if (crls != NULL && crls->data != NULL) {

88 ret =

89 gnutls_x509_crl_list_import2(&x509_crl_list,

90 &x509_ncrls, crls, type,

91 0);

92 if (ret < 0)

93 return gnutls_assert_val(ret);

95 ret =

96 gnutls_x509_trust_list_add_crls(list, x509_crl_list,

97 x509_ncrls, tl_flags,

98 tl_vflags);

99 gnutls_free(x509_crl_list);

100

101 if (ret < 0)

102 return gnutls_assert_val(ret);

103 else

104 r += ret;

105 }

106

107 return r;

108 }

109

110 /**

111 * gnutls_x509_trust_list_remove_trust_mem:

112 * @list: The structure of the list

113 * @cas: A buffer containing a list of CAs (optional)

114 * @type: The format of the certificates

115 *

116 * This function will remove the provided certificate authorities

117 * from the trusted list, and add them into a black list when needed.

118 *

119 * See also gnutls_x509_trust_list_remove_cas().

120 *

121 * Returns: The number of removed elements is returned.

122 *

123 * Since: 3.1.10

124 **/

125 int

126 gnutls_x509_trust_list_remove_trust_mem(gnutls_x509_trust_list_t list,

127 const gnutls_datum_t * cas,

128 gnutls_x509_crt_fmt_t type)

129 {

130 int ret;

131 gnutls_x509_crt_t *x509_ca_list = NULL;

132 unsigned int x509_ncas;

133 unsigned int r = 0, i;

134

135 if (cas != NULL && cas->data != NULL) {

136 ret =

137 gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas,

138 cas, type, 0);

139 if (ret < 0)

140 return gnutls_assert_val(ret);

141

142 ret =

143 gnutls_x509_trust_list_remove_cas(list, x509_ca_list,

144 x509_ncas);

145

146 for (i = 0; i < x509_ncas; i++)

147 gnutls_x509_crt_deinit(x509_ca_list[i]);

148 gnutls_free(x509_ca_list);

149

150 if (ret < 0)

151 return gnutls_assert_val(ret);

152 else

153 r += ret;

154 }

155

156 return r;

157 }

158

159 #ifdef ENABLE_PKCS11

160 static

161 int import_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file,

162 unsigned int flags)

163 {

164 gnutls_x509_crt_t *xcrt_list = NULL;

165 gnutls_pkcs11_obj_t *pcrt_list = NULL;

166 unsigned int pcrt_list_size = 0, i;

167 int ret;

168

169 ret =

170 gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,

171 ca_file,

172 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA,

173 0);

174 if (ret < 0)

175 return gnutls_assert_val(ret);

176

177 if (pcrt_list_size == 0) {

178 ret = 0;

179 goto cleanup;

180 }

181

182 xcrt_list =

183 gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size);

184 if (xcrt_list == NULL) {

185 ret = GNUTLS_E_MEMORY_ERROR;

186 goto cleanup;

187 }

188

189 ret =

190 gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size,

191 pcrt_list, 0);

192 if (ret < 0) {

193 gnutls_assert();

194 goto cleanup;

195 }

196

197 ret =

198 gnutls_x509_trust_list_add_cas(list, xcrt_list, pcrt_list_size,

199 flags);

200

201 cleanup:

202 for (i = 0; i < pcrt_list_size; i++)

203 gnutls_pkcs11_obj_deinit(pcrt_list[i]);

204 gnutls_free(pcrt_list);

205 gnutls_free(xcrt_list);

206

207 return ret;

208 }

209

210 static

211 int remove_pkcs11_url(gnutls_x509_trust_list_t list, const char *ca_file)

212 {

213 gnutls_x509_crt_t *xcrt_list = NULL;

214 gnutls_pkcs11_obj_t *pcrt_list = NULL;

215 unsigned int pcrt_list_size = 0, i;

216 int ret;

217

218 ret =

219 gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,

220 ca_file,

221 GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED_CA,

222 0);

223 if (ret < 0)

224 return gnutls_assert_val(ret);

225

226 if (pcrt_list_size == 0) {

227 ret = 0;

228 goto cleanup;

229 }

230

231 xcrt_list =

232 gnutls_malloc(sizeof(gnutls_x509_crt_t) * pcrt_list_size);

233 if (xcrt_list == NULL) {

234 ret = GNUTLS_E_MEMORY_ERROR;

235 goto cleanup;

236 }

237

238 ret =

239 gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size,

240 pcrt_list, 0);

241 if (ret < 0) {

242 gnutls_assert();

243 goto cleanup;

244 }

245

246 ret =

247 gnutls_x509_trust_list_remove_cas(list, xcrt_list,

248 pcrt_list_size);

249

250 cleanup:

251 for (i = 0; i < pcrt_list_size; i++) {

252 gnutls_pkcs11_obj_deinit(pcrt_list[i]);

253 if (xcrt_list)

254 gnutls_x509_crt_deinit(xcrt_list[i]);

255 }

256 gnutls_free(pcrt_list);

257 gnutls_free(xcrt_list);

258

259 return ret;

260 }

261 #endif

262

263

264 /**

265 * gnutls_x509_trust_list_add_trust_file:

266 * @list: The structure of the list

267 * @ca_file: A file containing a list of CAs (optional)

268 * @crl_file: A file containing a list of CRLs (optional)

269 * @type: The format of the certificates

270 * @tl_flags: GNUTLS_TL_*

271 * @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL

272 *

273 * This function will add the given certificate authorities

274 * to the trusted list. pkcs11 URLs are also accepted, instead

275 * of files, by this function.

276 *

277 * Returns: The number of added elements is returned.

278 *

279 * Since: 3.1

280 **/

281 int

282 gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,

283 const char *ca_file,

284 const char *crl_file,

285 gnutls_x509_crt_fmt_t type,

286 unsigned int tl_flags,

287 unsigned int tl_vflags)

288 {

289 gnutls_datum_t cas = { NULL, 0 };

290 gnutls_datum_t crls = { NULL, 0 };

291 size_t size;

292 int ret;

293

294 #ifdef ENABLE_PKCS11

295 if (strncmp(ca_file, "pkcs11:", 7) == 0) {

296 ret = import_pkcs11_url(list, ca_file, tl_flags);

297 if (ret < 0)

298 return gnutls_assert_val(ret);

299 } else

300 #endif

301 {

302 cas.data = (void *) read_binary_file(ca_file, &size);

303 if (cas.data == NULL) {

304 gnutls_assert();

305 return GNUTLS_E_FILE_ERROR;

306 }

307 cas.size = size;

308 }

309

310 if (crl_file) {

311 crls.data = (void *) read_binary_file(crl_file, &size);

312 if (crls.data == NULL) {

313 gnutls_assert();

314 return GNUTLS_E_FILE_ERROR;

315 }

316 crls.size = size;

317 }

318

319 ret =

320 gnutls_x509_trust_list_add_trust_mem(list, &cas, &crls, type,

321 tl_flags, tl_vflags);

322 free(crls.data);

323 free(cas.data);

324

325 return ret;

326 }

327

328 /**

329 * gnutls_x509_trust_list_remove_trust_file:

330 * @list: The structure of the list

331 * @ca_file: A file containing a list of CAs

332 * @type: The format of the certificates

333 *

334 * This function will remove the given certificate authorities

335 * from the trusted list, and add them into a black list when needed.

336 * PKCS 11 URLs are also accepted, instead

337 * of files, by this function.

338 *

339 * See also gnutls_x509_trust_list_remove_cas().

340 *

341 * Returns: The number of added elements is returned.

342 *

343 * Since: 3.1.10

344 **/

345 int

346 gnutls_x509_trust_list_remove_trust_file(gnutls_x509_trust_list_t list,

347 const char *ca_file,

348 gnutls_x509_crt_fmt_t type)

349 {

350 gnutls_datum_t cas = { NULL, 0 };

351 size_t size;

352 int ret;

353

354 #ifdef ENABLE_PKCS11

355 if (strncmp(ca_file, "pkcs11:", 7) == 0) {

356 ret = remove_pkcs11_url(list, ca_file);

357 if (ret < 0)

358 return gnutls_assert_val(ret);

359 } else

360 #endif

361 {

362 cas.data = (void *) read_binary_file(ca_file, &size);

363 if (cas.data == NULL) {

364 gnutls_assert();

365 return GNUTLS_E_FILE_ERROR;

366 }

367 cas.size = size;

368 }

369

370 ret = gnutls_x509_trust_list_remove_trust_mem(list, &cas, type);

371 free(cas.data);

372

373 return ret;

374 }