1 /* GIO - GLib Input, Output and Streaming Library
3 * Copyright 2009 Red Hat, Inc
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2 of the License, or (at your option) any later version.
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General
16 * Public License along with this library; if not, see
17 * <http://www.gnu.org/licenses/>.
22 #include <gnutls/gnutls.h>
23 #include <gnutls/x509.h>
26 #include "gtlscertificate-gnutls.h"
27 #include <glib/gi18n-lib.h>
29 static void g_tls_certificate_gnutls_initable_iface_init (GInitableIface *iface);
31 G_DEFINE_TYPE_WITH_CODE (GTlsCertificateGnutls, g_tls_certificate_gnutls, G_TYPE_TLS_CERTIFICATE,
32 G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
33 g_tls_certificate_gnutls_initable_iface_init);)
46 struct _GTlsCertificateGnutlsPrivate
48 gnutls_x509_crt_t cert;
49 gnutls_x509_privkey_t key;
51 GTlsCertificateGnutls *issuer;
53 GError *construct_error;
60 g_tls_certificate_gnutls_finalize (GObject *object)
62 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
64 gnutls_x509_crt_deinit (gnutls->priv->cert);
65 if (gnutls->priv->key)
66 gnutls_x509_privkey_deinit (gnutls->priv->key);
68 if (gnutls->priv->issuer)
69 g_object_unref (gnutls->priv->issuer);
71 g_clear_error (&gnutls->priv->construct_error);
73 G_OBJECT_CLASS (g_tls_certificate_gnutls_parent_class)->finalize (object);
77 g_tls_certificate_gnutls_get_property (GObject *object,
82 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
83 GByteArray *certificate;
84 char *certificate_pem;
90 case PROP_CERTIFICATE:
92 status = gnutls_x509_crt_export (gnutls->priv->cert,
95 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER)
99 certificate = g_byte_array_sized_new (size);
100 certificate->len = size;
101 status = gnutls_x509_crt_export (gnutls->priv->cert,
103 certificate->data, &size);
106 g_byte_array_free (certificate, TRUE);
110 g_value_take_boxed (value, certificate);
113 case PROP_CERTIFICATE_PEM:
115 status = gnutls_x509_crt_export (gnutls->priv->cert,
118 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER)
119 certificate_pem = NULL;
122 certificate_pem = g_malloc (size);
123 status = gnutls_x509_crt_export (gnutls->priv->cert,
125 certificate_pem, &size);
128 g_free (certificate_pem);
129 certificate_pem = NULL;
132 g_value_take_string (value, certificate_pem);
136 g_value_set_object (value, gnutls->priv->issuer);
140 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
145 g_tls_certificate_gnutls_set_property (GObject *object,
150 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
158 case PROP_CERTIFICATE:
159 bytes = g_value_get_boxed (value);
162 g_return_if_fail (gnutls->priv->have_cert == FALSE);
163 data.data = bytes->data;
164 data.size = bytes->len;
165 status = gnutls_x509_crt_import (gnutls->priv->cert, &data,
166 GNUTLS_X509_FMT_DER);
168 gnutls->priv->have_cert = TRUE;
169 else if (!gnutls->priv->construct_error)
171 gnutls->priv->construct_error =
172 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
173 _("Could not parse DER certificate: %s"),
174 gnutls_strerror (status));
179 case PROP_CERTIFICATE_PEM:
180 string = g_value_get_string (value);
183 g_return_if_fail (gnutls->priv->have_cert == FALSE);
184 data.data = (void *)string;
185 data.size = strlen (string);
186 status = gnutls_x509_crt_import (gnutls->priv->cert, &data,
187 GNUTLS_X509_FMT_PEM);
189 gnutls->priv->have_cert = TRUE;
190 else if (!gnutls->priv->construct_error)
192 gnutls->priv->construct_error =
193 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
194 _("Could not parse PEM certificate: %s"),
195 gnutls_strerror (status));
199 case PROP_PRIVATE_KEY:
200 bytes = g_value_get_boxed (value);
203 g_return_if_fail (gnutls->priv->have_key == FALSE);
204 data.data = bytes->data;
205 data.size = bytes->len;
206 if (!gnutls->priv->key)
207 gnutls_x509_privkey_init (&gnutls->priv->key);
208 status = gnutls_x509_privkey_import (gnutls->priv->key, &data,
209 GNUTLS_X509_FMT_DER);
213 gnutls_x509_privkey_import_pkcs8 (gnutls->priv->key, &data,
214 GNUTLS_X509_FMT_DER, NULL,
216 if (pkcs8_status == 0)
220 gnutls->priv->have_key = TRUE;
221 else if (!gnutls->priv->construct_error)
223 gnutls->priv->construct_error =
224 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
225 _("Could not parse DER private key: %s"),
226 gnutls_strerror (status));
230 case PROP_PRIVATE_KEY_PEM:
231 string = g_value_get_string (value);
234 g_return_if_fail (gnutls->priv->have_key == FALSE);
235 data.data = (void *)string;
236 data.size = strlen (string);
237 if (!gnutls->priv->key)
238 gnutls_x509_privkey_init (&gnutls->priv->key);
239 status = gnutls_x509_privkey_import (gnutls->priv->key, &data,
240 GNUTLS_X509_FMT_PEM);
244 gnutls_x509_privkey_import_pkcs8 (gnutls->priv->key, &data,
245 GNUTLS_X509_FMT_PEM, NULL,
247 if (pkcs8_status == 0)
251 gnutls->priv->have_key = TRUE;
252 else if (!gnutls->priv->construct_error)
254 gnutls->priv->construct_error =
255 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
256 _("Could not parse PEM private key: %s"),
257 gnutls_strerror (status));
262 gnutls->priv->issuer = g_value_dup_object (value);
266 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
271 g_tls_certificate_gnutls_init (GTlsCertificateGnutls *gnutls)
273 gnutls->priv = G_TYPE_INSTANCE_GET_PRIVATE (gnutls,
274 G_TYPE_TLS_CERTIFICATE_GNUTLS,
275 GTlsCertificateGnutlsPrivate);
277 gnutls_x509_crt_init (&gnutls->priv->cert);
281 g_tls_certificate_gnutls_initable_init (GInitable *initable,
282 GCancellable *cancellable,
285 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (initable);
287 if (gnutls->priv->construct_error)
289 g_propagate_error (error, gnutls->priv->construct_error);
290 gnutls->priv->construct_error = NULL;
293 else if (!gnutls->priv->have_cert)
295 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
296 _("No certificate data provided"));
303 static GTlsCertificateFlags
304 g_tls_certificate_gnutls_verify (GTlsCertificate *cert,
305 GSocketConnectable *identity,
306 GTlsCertificate *trusted_ca)
308 GTlsCertificateGnutls *cert_gnutls;
310 gnutls_x509_crt_t *chain;
311 GTlsCertificateFlags gtls_flags;
314 cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
315 for (num_certs = 0; cert_gnutls; cert_gnutls = cert_gnutls->priv->issuer)
317 chain = g_new (gnutls_x509_crt_t, num_certs);
318 cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
319 for (i = 0; cert_gnutls; cert_gnutls = cert_gnutls->priv->issuer, i++)
320 chain[i] = cert_gnutls->priv->cert;
324 gnutls_x509_crt_t ca;
328 ca = G_TLS_CERTIFICATE_GNUTLS (trusted_ca)->priv->cert;
329 status = gnutls_x509_crt_list_verify (chain, num_certs,
332 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
337 return G_TLS_CERTIFICATE_GENERIC_ERROR;
340 gtls_flags = g_tls_certificate_gnutls_convert_flags (gnutls_flags);
345 /* We have to check these ourselves since gnutls_x509_crt_list_verify
346 * won't bother if it gets an UNKNOWN_CA.
349 for (i = 0; i < num_certs; i++)
351 t = gnutls_x509_crt_get_activation_time (chain[i]);
352 if (t == (time_t) -1 || t > now)
353 gtls_flags |= G_TLS_CERTIFICATE_NOT_ACTIVATED;
355 t = gnutls_x509_crt_get_expiration_time (chain[i]);
356 if (t == (time_t) -1 || t < now)
357 gtls_flags |= G_TLS_CERTIFICATE_EXPIRED;
363 gtls_flags |= g_tls_certificate_gnutls_verify_identity (G_TLS_CERTIFICATE_GNUTLS (cert), identity);
369 g_tls_certificate_gnutls_real_copy (GTlsCertificateGnutls *gnutls,
370 const gchar *interaction_id,
373 gnutls_x509_crt_t cert;
377 gnutls_x509_crt_export (gnutls->priv->cert, GNUTLS_X509_FMT_DER,
379 data.data = g_malloc (size);
381 gnutls_x509_crt_export (gnutls->priv->cert, GNUTLS_X509_FMT_DER,
384 gnutls_x509_crt_init (&cert);
385 gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_DER);
389 st->cert.x509 = gnutls_malloc (sizeof (gnutls_x509_crt_t));
390 st->cert.x509[0] = cert;
392 if (gnutls->priv->key != NULL)
394 gnutls_x509_privkey_init (&st->key.x509);
395 gnutls_x509_privkey_cpy (st->key.x509, gnutls->priv->key);
396 st->key_type = GNUTLS_PRIVKEY_X509;
399 st->deinit_all = TRUE;
403 g_tls_certificate_gnutls_class_init (GTlsCertificateGnutlsClass *klass)
405 GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
406 GTlsCertificateClass *certificate_class = G_TLS_CERTIFICATE_CLASS (klass);
408 g_type_class_add_private (klass, sizeof (GTlsCertificateGnutlsPrivate));
410 gobject_class->get_property = g_tls_certificate_gnutls_get_property;
411 gobject_class->set_property = g_tls_certificate_gnutls_set_property;
412 gobject_class->finalize = g_tls_certificate_gnutls_finalize;
414 certificate_class->verify = g_tls_certificate_gnutls_verify;
416 klass->copy = g_tls_certificate_gnutls_real_copy;
418 g_object_class_override_property (gobject_class, PROP_CERTIFICATE, "certificate");
419 g_object_class_override_property (gobject_class, PROP_CERTIFICATE_PEM, "certificate-pem");
420 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY, "private-key");
421 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PEM, "private-key-pem");
422 g_object_class_override_property (gobject_class, PROP_ISSUER, "issuer");
426 g_tls_certificate_gnutls_initable_iface_init (GInitableIface *iface)
428 iface->init = g_tls_certificate_gnutls_initable_init;
432 g_tls_certificate_gnutls_new (const gnutls_datum_t *datum,
433 GTlsCertificate *issuer)
435 GTlsCertificateGnutls *gnutls;
437 gnutls = g_object_new (G_TYPE_TLS_CERTIFICATE_GNUTLS,
440 g_tls_certificate_gnutls_set_data (gnutls, datum);
442 return G_TLS_CERTIFICATE (gnutls);
446 g_tls_certificate_gnutls_set_data (GTlsCertificateGnutls *gnutls,
447 const gnutls_datum_t *datum)
449 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
450 g_return_if_fail (!gnutls->priv->have_cert);
452 if (gnutls_x509_crt_import (gnutls->priv->cert, datum,
453 GNUTLS_X509_FMT_DER) == 0)
454 gnutls->priv->have_cert = TRUE;
457 const gnutls_x509_crt_t
458 g_tls_certificate_gnutls_get_cert (GTlsCertificateGnutls *gnutls)
460 return gnutls->priv->cert;
464 g_tls_certificate_gnutls_has_key (GTlsCertificateGnutls *gnutls)
466 return gnutls->priv->have_key;
470 g_tls_certificate_gnutls_copy (GTlsCertificateGnutls *gnutls,
471 const gchar *interaction_id,
474 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
475 g_return_if_fail (st != NULL);
476 g_return_if_fail (G_TLS_CERTIFICATE_GNUTLS_GET_CLASS (gnutls)->copy);
477 G_TLS_CERTIFICATE_GNUTLS_GET_CLASS (gnutls)->copy (gnutls, interaction_id, st);
480 static const struct {
482 GTlsCertificateFlags gtls_flag;
484 { GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_SIGNER_NOT_CA, G_TLS_CERTIFICATE_UNKNOWN_CA },
485 { GNUTLS_CERT_NOT_ACTIVATED, G_TLS_CERTIFICATE_NOT_ACTIVATED },
486 { GNUTLS_CERT_EXPIRED, G_TLS_CERTIFICATE_EXPIRED },
487 { GNUTLS_CERT_REVOKED, G_TLS_CERTIFICATE_REVOKED },
488 { GNUTLS_CERT_INSECURE_ALGORITHM, G_TLS_CERTIFICATE_INSECURE }
490 static const int flags_map_size = G_N_ELEMENTS (flags_map);
493 g_tls_certificate_gnutls_convert_flags (guint gnutls_flags)
496 GTlsCertificateFlags gtls_flags;
498 /* Convert GNUTLS status to GTlsCertificateFlags. GNUTLS sets
499 * GNUTLS_CERT_INVALID if it sets any other flag, so we want to
500 * strip that out unless it's the only flag set. Then we convert
501 * specific flags we recognize, and if there are any flags left over
502 * at the end, we add G_TLS_CERTIFICATE_GENERIC_ERROR.
506 if (gnutls_flags != GNUTLS_CERT_INVALID)
507 gnutls_flags = gnutls_flags & ~GNUTLS_CERT_INVALID;
508 for (i = 0; i < flags_map_size && gnutls_flags != 0; i++)
510 if (gnutls_flags & flags_map[i].gnutls_flag)
512 gnutls_flags &= ~flags_map[i].gnutls_flag;
513 gtls_flags |= flags_map[i].gtls_flag;
517 gtls_flags |= G_TLS_CERTIFICATE_GENERIC_ERROR;
523 g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
524 GSocketConnectable *identity)
526 const char *hostname;
528 if (G_IS_NETWORK_ADDRESS (identity))
529 hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
530 else if (G_IS_NETWORK_SERVICE (identity))
531 hostname = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
537 if (gnutls_x509_crt_check_hostname (gnutls->priv->cert, hostname))
541 /* FIXME: check sRVName and uniformResourceIdentifier
542 * subjectAltNames, if appropriate for @identity.
545 return G_TLS_CERTIFICATE_BAD_IDENTITY;
549 g_tls_certificate_gnutls_set_issuer (GTlsCertificateGnutls *gnutls,
550 GTlsCertificateGnutls *issuer)
552 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
553 g_return_if_fail (!issuer || G_IS_TLS_CERTIFICATE_GNUTLS (issuer));
556 g_object_ref (issuer);
557 if (gnutls->priv->issuer)
558 g_object_unref (gnutls->priv->issuer);
559 gnutls->priv->issuer = issuer;
560 g_object_notify (G_OBJECT (gnutls), "issuer");
564 g_tls_certificate_gnutls_get_bytes (GTlsCertificateGnutls *gnutls)
568 g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls), NULL);
570 g_object_get (gnutls, "certificate", &array, NULL);
571 return g_byte_array_free_to_bytes (array);