1 /* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
3 * GIO - GLib Input, Output and Streaming Library
5 * Copyright 2009 Red Hat, Inc
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General
18 * Public License along with this library; if not, see
19 * <http://www.gnu.org/licenses/>.
21 * In addition, when the library is used with OpenSSL, a special
22 * exception applies. Refer to the LICENSE_EXCEPTION file for details.
27 #include <gnutls/gnutls.h>
28 #include <gnutls/x509.h>
31 #include "gtlscertificate-gnutls.h"
32 #include <glib/gi18n-lib.h>
46 struct _GTlsCertificateGnutls
48 GTlsCertificate parent_instance;
50 gnutls_x509_crt_t cert;
51 gnutls_x509_privkey_t key;
53 GTlsCertificateGnutls *issuer;
55 GError *construct_error;
61 static void g_tls_certificate_gnutls_initable_iface_init (GInitableIface *iface);
63 G_DEFINE_TYPE_WITH_CODE (GTlsCertificateGnutls, g_tls_certificate_gnutls, G_TYPE_TLS_CERTIFICATE,
64 G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
65 g_tls_certificate_gnutls_initable_iface_init);)
68 g_tls_certificate_gnutls_finalize (GObject *object)
70 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
72 g_clear_pointer (&gnutls->cert, gnutls_x509_crt_deinit);
73 g_clear_pointer (&gnutls->key, gnutls_x509_privkey_deinit);
75 g_clear_object (&gnutls->issuer);
77 g_clear_error (&gnutls->construct_error);
79 G_OBJECT_CLASS (g_tls_certificate_gnutls_parent_class)->finalize (object);
83 g_tls_certificate_gnutls_get_property (GObject *object,
88 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
89 GByteArray *certificate;
90 char *certificate_pem;
96 case PROP_CERTIFICATE:
98 status = gnutls_x509_crt_export (gnutls->cert,
101 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER)
105 certificate = g_byte_array_sized_new (size);
106 certificate->len = size;
107 status = gnutls_x509_crt_export (gnutls->cert,
109 certificate->data, &size);
112 g_byte_array_free (certificate, TRUE);
116 g_value_take_boxed (value, certificate);
119 case PROP_CERTIFICATE_PEM:
121 status = gnutls_x509_crt_export (gnutls->cert,
124 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER)
125 certificate_pem = NULL;
128 certificate_pem = g_malloc (size);
129 status = gnutls_x509_crt_export (gnutls->cert,
131 certificate_pem, &size);
134 g_free (certificate_pem);
135 certificate_pem = NULL;
138 g_value_take_string (value, certificate_pem);
142 g_value_set_object (value, gnutls->issuer);
146 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
151 g_tls_certificate_gnutls_set_property (GObject *object,
156 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
164 case PROP_CERTIFICATE:
165 bytes = g_value_get_boxed (value);
168 g_return_if_fail (gnutls->have_cert == FALSE);
169 data.data = bytes->data;
170 data.size = bytes->len;
171 status = gnutls_x509_crt_import (gnutls->cert, &data,
172 GNUTLS_X509_FMT_DER);
174 gnutls->have_cert = TRUE;
175 else if (!gnutls->construct_error)
177 gnutls->construct_error =
178 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
179 _("Could not parse DER certificate: %s"),
180 gnutls_strerror (status));
185 case PROP_CERTIFICATE_PEM:
186 string = g_value_get_string (value);
189 g_return_if_fail (gnutls->have_cert == FALSE);
190 data.data = (void *)string;
191 data.size = strlen (string);
192 status = gnutls_x509_crt_import (gnutls->cert, &data,
193 GNUTLS_X509_FMT_PEM);
195 gnutls->have_cert = TRUE;
196 else if (!gnutls->construct_error)
198 gnutls->construct_error =
199 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
200 _("Could not parse PEM certificate: %s"),
201 gnutls_strerror (status));
205 case PROP_PRIVATE_KEY:
206 bytes = g_value_get_boxed (value);
209 g_return_if_fail (gnutls->have_key == FALSE);
210 data.data = bytes->data;
211 data.size = bytes->len;
213 gnutls_x509_privkey_init (&gnutls->key);
214 status = gnutls_x509_privkey_import (gnutls->key, &data,
215 GNUTLS_X509_FMT_DER);
219 gnutls_x509_privkey_import_pkcs8 (gnutls->key, &data,
220 GNUTLS_X509_FMT_DER, NULL,
222 if (pkcs8_status == 0)
226 gnutls->have_key = TRUE;
227 else if (!gnutls->construct_error)
229 gnutls->construct_error =
230 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
231 _("Could not parse DER private key: %s"),
232 gnutls_strerror (status));
236 case PROP_PRIVATE_KEY_PEM:
237 string = g_value_get_string (value);
240 g_return_if_fail (gnutls->have_key == FALSE);
241 data.data = (void *)string;
242 data.size = strlen (string);
244 gnutls_x509_privkey_init (&gnutls->key);
245 status = gnutls_x509_privkey_import (gnutls->key, &data,
246 GNUTLS_X509_FMT_PEM);
250 gnutls_x509_privkey_import_pkcs8 (gnutls->key, &data,
251 GNUTLS_X509_FMT_PEM, NULL,
253 if (pkcs8_status == 0)
257 gnutls->have_key = TRUE;
258 else if (!gnutls->construct_error)
260 gnutls->construct_error =
261 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
262 _("Could not parse PEM private key: %s"),
263 gnutls_strerror (status));
268 gnutls->issuer = g_value_dup_object (value);
272 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
276 #if ENABLE(TIZEN_TV_ADJUST_TIME)
277 extern double soupTimeOffset;
280 correct_time_func(time_t *t)
282 return time(NULL) + (time_t)(soupTimeOffset / 1000);
287 g_tls_certificate_gnutls_init (GTlsCertificateGnutls *gnutls)
289 gnutls_x509_crt_init (&gnutls->cert);
290 #if ENABLE(TIZEN_TV_ADJUST_TIME)
291 gnutls_global_set_time_function(correct_time_func);
296 g_tls_certificate_gnutls_initable_init (GInitable *initable,
297 GCancellable *cancellable,
300 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (initable);
302 if (gnutls->construct_error)
304 g_propagate_error (error, gnutls->construct_error);
305 gnutls->construct_error = NULL;
308 else if (!gnutls->have_cert)
310 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
311 _("No certificate data provided"));
318 static GTlsCertificateFlags
319 g_tls_certificate_gnutls_verify (GTlsCertificate *cert,
320 GSocketConnectable *identity,
321 GTlsCertificate *trusted_ca)
323 GTlsCertificateGnutls *cert_gnutls;
325 gnutls_x509_crt_t *chain;
326 GTlsCertificateFlags gtls_flags;
328 cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
332 cert_gnutls = cert_gnutls->issuer;
337 chain = g_new (gnutls_x509_crt_t, num_certs);
338 cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
339 for (i = 0; i < num_certs; i++)
341 chain[i] = cert_gnutls->cert;
342 cert_gnutls = cert_gnutls->issuer;
344 g_assert (!cert_gnutls);
348 gnutls_x509_crt_t ca;
352 ca = G_TLS_CERTIFICATE_GNUTLS (trusted_ca)->cert;
353 status = gnutls_x509_crt_list_verify (chain, num_certs,
360 return G_TLS_CERTIFICATE_GENERIC_ERROR;
363 gtls_flags = g_tls_certificate_gnutls_convert_flags (gnutls_flags);
371 gtls_flags |= g_tls_certificate_gnutls_verify_identity (G_TLS_CERTIFICATE_GNUTLS (cert), identity);
377 g_tls_certificate_gnutls_class_init (GTlsCertificateGnutlsClass *klass)
379 GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
380 GTlsCertificateClass *certificate_class = G_TLS_CERTIFICATE_CLASS (klass);
382 gobject_class->get_property = g_tls_certificate_gnutls_get_property;
383 gobject_class->set_property = g_tls_certificate_gnutls_set_property;
384 gobject_class->finalize = g_tls_certificate_gnutls_finalize;
386 certificate_class->verify = g_tls_certificate_gnutls_verify;
388 g_object_class_override_property (gobject_class, PROP_CERTIFICATE, "certificate");
389 g_object_class_override_property (gobject_class, PROP_CERTIFICATE_PEM, "certificate-pem");
390 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY, "private-key");
391 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PEM, "private-key-pem");
392 g_object_class_override_property (gobject_class, PROP_ISSUER, "issuer");
396 g_tls_certificate_gnutls_initable_iface_init (GInitableIface *iface)
398 iface->init = g_tls_certificate_gnutls_initable_init;
402 g_tls_certificate_gnutls_new (const gnutls_datum_t *datum,
403 GTlsCertificate *issuer)
405 GTlsCertificateGnutls *gnutls;
407 gnutls = g_object_new (G_TYPE_TLS_CERTIFICATE_GNUTLS,
410 g_tls_certificate_gnutls_set_data (gnutls, datum);
412 return G_TLS_CERTIFICATE (gnutls);
416 g_tls_certificate_gnutls_set_data (GTlsCertificateGnutls *gnutls,
417 const gnutls_datum_t *datum)
419 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
420 g_return_if_fail (!gnutls->have_cert);
422 if (gnutls_x509_crt_import (gnutls->cert, datum,
423 GNUTLS_X509_FMT_DER) == 0)
424 gnutls->have_cert = TRUE;
427 const gnutls_x509_crt_t
428 g_tls_certificate_gnutls_get_cert (GTlsCertificateGnutls *gnutls)
434 g_tls_certificate_gnutls_has_key (GTlsCertificateGnutls *gnutls)
436 return gnutls->have_key;
440 g_tls_certificate_gnutls_copy (GTlsCertificateGnutls *gnutls,
441 const gchar *interaction_id,
442 gnutls_pcert_st **pcert,
443 unsigned int *pcert_length,
444 gnutls_privkey_t *pkey)
446 GTlsCertificateGnutls *chain;
450 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
451 g_return_if_fail (pcert != NULL);
452 g_return_if_fail (pcert_length != NULL);
453 g_return_if_fail (pkey != NULL);
455 /* We will do this loop twice. It's probably more efficient than
456 * re-allocating memory.
459 while (chain != NULL)
462 chain = chain->issuer;
466 *pcert = g_malloc (sizeof (gnutls_pcert_st) * num_certs);
468 /* Now do the actual copy of the whole chain. */
470 while (chain != NULL)
472 gnutls_x509_crt_t cert;
475 gnutls_x509_crt_export2 (chain->cert, GNUTLS_X509_FMT_DER, &data);
477 gnutls_x509_crt_init (&cert);
478 status = gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_DER);
479 g_warn_if_fail (status == 0);
480 gnutls_free (data.data);
482 gnutls_pcert_import_x509 (*pcert + *pcert_length, cert, 0);
483 gnutls_x509_crt_deinit (cert);
486 chain = chain->issuer;
489 if (gnutls->key != NULL)
491 gnutls_x509_privkey_t x509_privkey;
492 gnutls_privkey_t privkey;
494 gnutls_x509_privkey_init (&x509_privkey);
495 gnutls_x509_privkey_cpy (x509_privkey, gnutls->key);
497 gnutls_privkey_init (&privkey);
498 gnutls_privkey_import_x509 (privkey, x509_privkey, GNUTLS_PRIVKEY_IMPORT_COPY);
500 gnutls_x509_privkey_deinit (x509_privkey);
509 g_tls_certificate_gnutls_copy_free (gnutls_pcert_st *pcert,
510 unsigned int pcert_length,
511 gnutls_privkey_t pkey)
515 for (unsigned int i = 0; i < pcert_length; i++)
516 gnutls_pcert_deinit (&pcert[i]);
521 gnutls_privkey_deinit (pkey);
524 static const struct {
526 GTlsCertificateFlags gtls_flag;
528 { GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_SIGNER_NOT_CA, G_TLS_CERTIFICATE_UNKNOWN_CA },
529 { GNUTLS_CERT_NOT_ACTIVATED, G_TLS_CERTIFICATE_NOT_ACTIVATED },
530 { GNUTLS_CERT_EXPIRED, G_TLS_CERTIFICATE_EXPIRED },
531 { GNUTLS_CERT_REVOKED, G_TLS_CERTIFICATE_REVOKED },
532 { GNUTLS_CERT_INSECURE_ALGORITHM, G_TLS_CERTIFICATE_INSECURE },
533 { GNUTLS_CERT_UNEXPECTED_OWNER, G_TLS_CERTIFICATE_BAD_IDENTITY }
535 static const int flags_map_size = G_N_ELEMENTS (flags_map);
538 g_tls_certificate_gnutls_convert_flags (guint gnutls_flags)
541 GTlsCertificateFlags gtls_flags;
543 /* Convert GNUTLS status to GTlsCertificateFlags. GNUTLS sets
544 * GNUTLS_CERT_INVALID if it sets any other flag, so we want to
545 * strip that out unless it's the only flag set. Then we convert
546 * specific flags we recognize, and if there are any flags left over
547 * at the end, we add G_TLS_CERTIFICATE_GENERIC_ERROR.
551 if (gnutls_flags != GNUTLS_CERT_INVALID)
552 gnutls_flags = gnutls_flags & ~GNUTLS_CERT_INVALID;
553 for (i = 0; i < flags_map_size && gnutls_flags != 0; i++)
555 if (gnutls_flags & flags_map[i].gnutls_flag)
557 gnutls_flags &= ~flags_map[i].gnutls_flag;
558 gtls_flags |= flags_map[i].gtls_flag;
562 gtls_flags |= G_TLS_CERTIFICATE_GENERIC_ERROR;
568 verify_identity_hostname (GTlsCertificateGnutls *gnutls,
569 GSocketConnectable *identity)
571 const char *hostname;
573 if (G_IS_NETWORK_ADDRESS (identity))
574 hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
575 else if (G_IS_NETWORK_SERVICE (identity))
576 hostname = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
580 return gnutls_x509_crt_check_hostname (gnutls->cert, hostname);
584 verify_identity_ip (GTlsCertificateGnutls *gnutls,
585 GSocketConnectable *identity)
590 const guint8 *addr_bytes;
592 if (G_IS_INET_SOCKET_ADDRESS (identity))
593 addr = g_object_ref (g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (identity)));
595 const char *hostname;
597 if (G_IS_NETWORK_ADDRESS (identity))
598 hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
599 else if (G_IS_NETWORK_SERVICE (identity))
600 hostname = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
604 addr = g_inet_address_new_from_string (hostname);
609 addr_bytes = g_inet_address_to_bytes (addr);
610 addr_size = g_inet_address_get_native_size (addr);
612 for (i = 0; ret >= 0; i++)
617 san_size = sizeof (san);
618 ret = gnutls_x509_crt_get_subject_alt_name (gnutls->cert, i,
619 san, &san_size, NULL);
621 if ((ret == GNUTLS_SAN_IPADDRESS) && (addr_size == san_size))
623 if (memcmp (addr_bytes, san, addr_size) == 0)
625 g_object_unref (addr);
631 g_object_unref (addr);
636 g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
637 GSocketConnectable *identity)
639 if (verify_identity_hostname (gnutls, identity))
641 else if (verify_identity_ip (gnutls, identity))
644 /* FIXME: check sRVName and uniformResourceIdentifier
645 * subjectAltNames, if appropriate for @identity.
647 return G_TLS_CERTIFICATE_BAD_IDENTITY;
651 g_tls_certificate_gnutls_set_issuer (GTlsCertificateGnutls *gnutls,
652 GTlsCertificateGnutls *issuer)
654 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
655 g_return_if_fail (!issuer || G_IS_TLS_CERTIFICATE_GNUTLS (issuer));
658 g_object_ref (issuer);
660 g_object_unref (gnutls->issuer);
661 gnutls->issuer = issuer;
662 g_object_notify (G_OBJECT (gnutls), "issuer");
666 g_tls_certificate_gnutls_get_bytes (GTlsCertificateGnutls *gnutls)
670 g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls), NULL);
672 g_object_get (gnutls, "certificate", &array, NULL);
673 return g_byte_array_free_to_bytes (array);
676 static gnutls_x509_crt_t *
677 convert_data_to_gnutls_certs (const gnutls_datum_t *certs,
679 gnutls_x509_crt_fmt_t format)
681 gnutls_x509_crt_t *gnutls_certs;
684 gnutls_certs = g_new (gnutls_x509_crt_t, num_certs);
686 for (i = 0; i < num_certs; i++)
688 if (gnutls_x509_crt_init (&gnutls_certs[i]) < 0)
695 for (i = 0; i < num_certs; i++)
697 if (gnutls_x509_crt_import (gnutls_certs[i], &certs[i], format) < 0)
707 for (; i != G_MAXUINT; i--)
708 gnutls_x509_crt_deinit (gnutls_certs[i]);
709 g_free (gnutls_certs);
713 GTlsCertificateGnutls *
714 g_tls_certificate_gnutls_build_chain (const gnutls_datum_t *certs,
716 gnutls_x509_crt_fmt_t format)
718 GPtrArray *glib_certs;
719 gnutls_x509_crt_t *gnutls_certs;
720 GTlsCertificateGnutls *issuer;
721 GTlsCertificateGnutls *result;
724 g_return_val_if_fail (certs, NULL);
726 gnutls_certs = convert_data_to_gnutls_certs (certs, num_certs, format);
730 glib_certs = g_ptr_array_new_full (num_certs, g_object_unref);
731 for (i = 0; i < num_certs; i++)
732 g_ptr_array_add (glib_certs, g_tls_certificate_gnutls_new (&certs[i], NULL));
734 /* Some servers send certs out of order, or will send duplicate
735 * certs, so we need to be careful when assigning the issuer of
736 * our new GTlsCertificateGnutls.
738 for (i = 0; i < num_certs; i++)
742 /* Check if the cert issued itself */
743 if (gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[i]))
746 if (i < num_certs - 1 &&
747 gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[i + 1]))
749 issuer = glib_certs->pdata[i + 1];
753 for (j = 0; j < num_certs; j++)
756 gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[j]))
758 issuer = glib_certs->pdata[j];
765 g_tls_certificate_gnutls_set_issuer (glib_certs->pdata[i], issuer);
768 result = g_object_ref (glib_certs->pdata[0]);
769 g_ptr_array_unref (glib_certs);
771 for (i = 0; i < num_certs; i++)
772 gnutls_x509_crt_deinit (gnutls_certs[i]);
773 g_free (gnutls_certs);