137
139
_gnutls_free_datum (&sc->x509_rdn_sequence);
141
* _gnutls_certificate_get_rsa_params - Returns the RSA parameters pointer
142
* @rsa_params: holds the RSA parameters or NULL.
143
* @func: function to retrieve the parameters or NULL.
144
* @session: The session.
146
* This function will return the rsa parameters pointer.
149
_gnutls_certificate_get_rsa_params (gnutls_rsa_params_t rsa_params,
150
gnutls_params_function * func,
151
gnutls_session_t session)
153
gnutls_params_st params;
156
if (session->internals.params.rsa_params)
158
return session->internals.params.rsa_params;
163
session->internals.params.rsa_params = rsa_params;
167
ret = func (session, GNUTLS_PARAMS_RSA_EXPORT, ¶ms);
168
if (ret == 0 && params.type == GNUTLS_PARAMS_RSA_EXPORT)
170
session->internals.params.rsa_params = params.params.rsa_export;
171
session->internals.params.free_rsa_params = params.deinit;
175
return session->internals.params.rsa_params;
180
143
* gnutls_certificate_free_credentials:
181
144
* @sc: is a #gnutls_certificate_credentials_t structure.
637
602
* @session: is a gnutls session
638
603
* @status: is the output of the verification
640
* This function will try to verify the peer's certificate and return
641
* its status (trusted, invalid etc.). The value of @status should
642
* be one or more of the gnutls_certificate_status_t enumerated
643
* elements bitwise or'd. To avoid denial of service attacks some
605
* This function will verify the peer's certificate and store
606
* the status in the @status variable as a bitwise or'd gnutls_certificate_status_t
607
* values or zero if the certificate is trusted. Note that value in @status
608
* is set only when the return value of this function is success (i.e, failure
609
* to trust a certificate does not imply a negative return value).
611
* If available the OCSP Certificate Status extension will be
612
* utilized by this function.
614
* To avoid denial of service attacks some
644
615
* default upper limits regarding the certificate key size and chain
645
* size are set. To override them use
646
* gnutls_certificate_set_verify_limits().
616
* size are set. To override them use gnutls_certificate_set_verify_limits().
648
618
* Note that you must also check the peer's name in order to check if
649
* the verified certificate belongs to the actual peer.
651
* This function uses gnutls_x509_crt_list_verify() with the CAs in
652
* the credentials as trusted CAs.
619
* the verified certificate belongs to the actual peer, see gnutls_x509_crt_check_hostname(),
620
* or use gnutls_certificate_verify_peers3().
654
622
* Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
673
641
switch (gnutls_certificate_type_get (session))
675
643
case GNUTLS_CRT_X509:
676
return _gnutls_x509_cert_verify_peers (session, status);
677
#ifdef ENABLE_OPENPGP
678
case GNUTLS_CRT_OPENPGP:
679
return _gnutls_openpgp_crt_verify_peers (session, status);
644
return _gnutls_x509_cert_verify_peers (session, NULL, status);
645
#ifdef ENABLE_OPENPGP
646
case GNUTLS_CRT_OPENPGP:
647
return _gnutls_openpgp_crt_verify_peers (session, NULL, status);
650
return GNUTLS_E_INVALID_REQUEST;
655
* gnutls_certificate_verify_peers3:
656
* @session: is a gnutls session
657
* @hostname: is the expected name of the peer; may be %NULL
658
* @status: is the output of the verification
660
* This function will verify the peer's certificate and store the
661
* status in the @status variable as a bitwise or'd gnutls_certificate_status_t
662
* values or zero if the certificate is trusted. Note that value in @status
663
* is set only when the return value of this function is success (i.e, failure
664
* to trust a certificate does not imply a negative return value).
666
* If the @hostname provided is non-NULL then this function will compare
667
* the hostname in the certificate against the given. If they do not match
668
* the %GNUTLS_CERT_UNEXPECTED_OWNER status flag will be set.
670
* If available the OCSP Certificate Status extension will be
671
* utilized by this function.
673
* To avoid denial of service attacks some
674
* default upper limits regarding the certificate key size and chain
675
* size are set. To override them use gnutls_certificate_set_verify_limits().
677
* Returns: a negative error code on error and %GNUTLS_E_SUCCESS (0) on success.
682
gnutls_certificate_verify_peers3 (gnutls_session_t session,
683
const char* hostname,
684
unsigned int *status)
686
cert_auth_info_t info;
688
CHECK_AUTH (GNUTLS_CRD_CERTIFICATE, GNUTLS_E_INVALID_REQUEST);
690
info = _gnutls_get_auth_info (session);
693
return GNUTLS_E_NO_CERTIFICATE_FOUND;
696
if (info->raw_certificate_list == NULL || info->ncerts == 0)
697
return GNUTLS_E_NO_CERTIFICATE_FOUND;
699
switch (gnutls_certificate_type_get (session))
701
case GNUTLS_CRT_X509:
702
return _gnutls_x509_cert_verify_peers (session, hostname, status);
703
#ifdef ENABLE_OPENPGP
704
case GNUTLS_CRT_OPENPGP:
705
return _gnutls_openpgp_crt_verify_peers (session, hostname, status);
682
708
return GNUTLS_E_INVALID_REQUEST;
825
851
return session->internals.sign_func;
854
/* returns error if the certificate has different algorithm than
855
* the given key parameters.
858
_gnutls_check_key_cert_match (gnutls_certificate_credentials_t res)
860
int pk = gnutls_pubkey_get_pk_algorithm(res->certs[res->ncerts-1].cert_list[0].pubkey, NULL);
861
int pk2 = gnutls_privkey_get_pk_algorithm (res->pkey[res->ncerts - 1], NULL);
866
return GNUTLS_E_CERTIFICATE_KEY_MISMATCH;
873
* gnutls_certificate_verification_status_print:
874
* @status: The status flags to be printed
875
* @type: The certificate type
876
* @out: Newly allocated datum with (0) terminated string.
877
* @flags: should be zero
879
* This function will pretty print the status of a verification
880
* process -- eg. the one obtained by gnutls_certificate_verify_peers3().
882
* The output @out needs to be deallocated using gnutls_free().
884
* Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
885
* negative error value.
890
gnutls_certificate_verification_status_print (unsigned int status,
891
gnutls_certificate_type_t type,
892
gnutls_datum_t * out, unsigned int flags)
894
gnutls_buffer_st str;
897
_gnutls_buffer_init (&str);
900
_gnutls_buffer_append_str (&str, _("The certificate is trusted. "));
902
_gnutls_buffer_append_str (&str, _("The certificate is NOT trusted. "));
904
if (type == GNUTLS_CRT_X509)
906
if (status & GNUTLS_CERT_REVOKED)
907
_gnutls_buffer_append_str (&str, _("The certificate chain is revoked. "));
909
if (status & GNUTLS_CERT_MISMATCH)
910
_gnutls_buffer_append_str (&str, _("The certificate doesn't match the local copy (TOFU). "));
912
if (status & GNUTLS_CERT_REVOCATION_DATA_SUPERSEDED)
913
_gnutls_buffer_append_str (&str, _("The revocation data are old and have been superseded. "));
915
if (status & GNUTLS_CERT_REVOCATION_DATA_ISSUED_IN_FUTURE)
916
_gnutls_buffer_append_str (&str, _("The revocation data are issued with a future date. "));
918
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
919
_gnutls_buffer_append_str (&str, _("The certificate issuer is unknown. "));
921
if (status & GNUTLS_CERT_SIGNER_NOT_CA)
922
_gnutls_buffer_append_str (&str, _("The certificate issuer is not a CA. "));
924
else if (type == GNUTLS_CRT_OPENPGP)
926
_gnutls_buffer_append_str (&str, _("The certificate is not trusted. "));
928
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
929
_gnutls_buffer_append_str (&str, _("Could not find a signer of the certificate. "));
931
if (status & GNUTLS_CERT_REVOKED)
932
_gnutls_buffer_append_str (&str, _("The certificate is revoked. "));
935
if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
936
_gnutls_buffer_append_str (&str, _("The certificate chain uses insecure algorithm. "));
938
if (status & GNUTLS_CERT_SIGNER_CONSTRAINTS_FAILURE)
939
_gnutls_buffer_append_str (&str, _("The certificate chain violates the signer's constraints. "));
941
if (status & GNUTLS_CERT_NOT_ACTIVATED)
942
_gnutls_buffer_append_str (&str, _("The certificate chain uses not yet valid certificate. "));
944
if (status & GNUTLS_CERT_EXPIRED)
945
_gnutls_buffer_append_str (&str, _("The certificate chain uses expired certificate. "));
947
if (status & GNUTLS_CERT_SIGNATURE_FAILURE)
948
_gnutls_buffer_append_str (&str, _("The signature in the certificate is invalid. "));
950
if (status & GNUTLS_CERT_UNEXPECTED_OWNER)
951
_gnutls_buffer_append_str (&str, _("The name in the certificate does not match the expected. "));
953
ret = _gnutls_buffer_to_datum( &str, out);
954
if (out->size > 0) out->size--;