1 /* GIO - GLib Input, Output and Streaming Library
3 * Copyright 2009 Red Hat, Inc
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2 of the License, or (at your option) any later version.
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General
16 * Public License along with this library; if not, see
17 * <http://www.gnu.org/licenses/>.
22 #include <gnutls/gnutls.h>
23 #include <gnutls/x509.h>
26 #include "gtlscertificate-gnutls.h"
27 #include <glib/gi18n-lib.h>
29 static void g_tls_certificate_gnutls_initable_iface_init (GInitableIface *iface);
31 G_DEFINE_TYPE_WITH_CODE (GTlsCertificateGnutls, g_tls_certificate_gnutls, G_TYPE_TLS_CERTIFICATE,
32 G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
33 g_tls_certificate_gnutls_initable_iface_init);)
40 PROP_CERTIFICATE_BYTES,
43 PROP_PRIVATE_KEY_BYTES,
48 struct _GTlsCertificateGnutlsPrivate
50 gnutls_x509_crt_t cert;
51 gnutls_x509_privkey_t key;
53 GTlsCertificateGnutls *issuer;
55 GError *construct_error;
62 g_tls_certificate_gnutls_finalize (GObject *object)
64 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
66 gnutls_x509_crt_deinit (gnutls->priv->cert);
67 if (gnutls->priv->key)
68 gnutls_x509_privkey_deinit (gnutls->priv->key);
70 if (gnutls->priv->issuer)
71 g_object_unref (gnutls->priv->issuer);
73 g_clear_error (&gnutls->priv->construct_error);
75 G_OBJECT_CLASS (g_tls_certificate_gnutls_parent_class)->finalize (object);
79 get_der_for_certificate (GTlsCertificateGnutls *self)
81 GByteArray *certificate;
86 status = gnutls_x509_crt_export (self->priv->cert,
89 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER)
95 certificate = g_byte_array_sized_new (size);
96 certificate->len = size;
97 status = gnutls_x509_crt_export (self->priv->cert,
99 certificate->data, &size);
102 g_byte_array_free (certificate, TRUE);
111 get_pem_for_certificate (GTlsCertificateGnutls *self)
113 char *certificate_pem;
118 status = gnutls_x509_crt_export (self->priv->cert,
121 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER)
123 certificate_pem = NULL;
127 certificate_pem = g_malloc (size);
128 status = gnutls_x509_crt_export (self->priv->cert,
130 certificate_pem, &size);
133 g_free (certificate_pem);
134 certificate_pem = NULL;
138 return certificate_pem;
142 g_tls_certificate_gnutls_get_property (GObject *object,
147 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
148 GByteArray *certificate;
152 case PROP_CERTIFICATE:
153 g_value_take_boxed (value, get_der_for_certificate (gnutls));
156 case PROP_CERTIFICATE_BYTES:
157 certificate = get_der_for_certificate (gnutls);
158 if (certificate == NULL)
159 g_value_take_boxed (value, NULL);
161 g_value_take_boxed (value, g_byte_array_free_to_bytes (certificate));
164 case PROP_CERTIFICATE_PEM:
165 g_value_take_string (value, get_pem_for_certificate (gnutls));
169 g_value_set_object (value, gnutls->priv->issuer);
173 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
178 set_certificate_from_der (GTlsCertificateGnutls *self,
185 g_return_if_fail (self->priv->have_cert == FALSE);
186 data.data = (guchar *)der;
188 status = gnutls_x509_crt_import (self->priv->cert, &data,
189 GNUTLS_X509_FMT_DER);
192 self->priv->have_cert = TRUE;
194 else if (!self->priv->construct_error)
196 self->priv->construct_error =
197 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
198 _("Could not parse DER certificate: %s"),
199 gnutls_strerror (status));
204 set_certificate_from_pem (GTlsCertificateGnutls *self,
210 g_return_if_fail (self->priv->have_cert == FALSE);
211 data.data = (guchar *)string;
212 data.size = strlen (string);
213 status = gnutls_x509_crt_import (self->priv->cert, &data,
214 GNUTLS_X509_FMT_PEM);
217 self->priv->have_cert = TRUE;
219 else if (!self->priv->construct_error)
221 self->priv->construct_error =
222 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
223 _("Could not parse PEM certificate: %s"),
224 gnutls_strerror (status));
229 set_private_key_from_der (GTlsCertificateGnutls *self,
236 g_return_if_fail (self->priv->have_key == FALSE);
237 data.data = (guchar *)der;
239 if (!self->priv->key)
240 gnutls_x509_privkey_init (&self->priv->key);
241 status = gnutls_x509_privkey_import (self->priv->key, &data,
242 GNUTLS_X509_FMT_DER);
246 gnutls_x509_privkey_import_pkcs8 (self->priv->key, &data,
247 GNUTLS_X509_FMT_DER, NULL,
249 if (pkcs8_status == 0)
254 self->priv->have_key = TRUE;
256 else if (!self->priv->construct_error)
258 self->priv->construct_error =
259 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
260 _("Could not parse DER private key: %s"),
261 gnutls_strerror (status));
266 set_private_key_from_pem (GTlsCertificateGnutls *self,
272 g_return_if_fail (self->priv->have_key == FALSE);
273 data.data = (guchar *)string;
274 data.size = strlen (string);
275 if (!self->priv->key)
276 gnutls_x509_privkey_init (&self->priv->key);
277 status = gnutls_x509_privkey_import (self->priv->key, &data,
278 GNUTLS_X509_FMT_PEM);
282 gnutls_x509_privkey_import_pkcs8 (self->priv->key, &data,
283 GNUTLS_X509_FMT_PEM, NULL,
285 if (pkcs8_status == 0)
290 self->priv->have_key = TRUE;
292 else if (!self->priv->construct_error)
294 self->priv->construct_error =
295 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
296 _("Could not parse PEM private key: %s"),
297 gnutls_strerror (status));
302 g_tls_certificate_gnutls_set_property (GObject *object,
307 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
308 GByteArray *byte_array;
314 case PROP_CERTIFICATE:
315 byte_array = g_value_get_boxed (value);
317 set_certificate_from_der (gnutls, byte_array->data, byte_array->len);
320 case PROP_CERTIFICATE_BYTES:
321 bytes = g_value_get_boxed (value);
324 set_certificate_from_der (gnutls, g_bytes_get_data (bytes, NULL),
325 g_bytes_get_size (bytes));
329 case PROP_CERTIFICATE_PEM:
330 string = g_value_get_string (value);
332 set_certificate_from_pem (gnutls, string);
335 case PROP_PRIVATE_KEY:
336 byte_array = g_value_get_boxed (value);
338 set_private_key_from_der (gnutls, byte_array->data, byte_array->len);
341 case PROP_PRIVATE_KEY_BYTES:
342 bytes = g_value_get_boxed (value);
345 set_private_key_from_der (gnutls, g_bytes_get_data (bytes, NULL),
346 g_bytes_get_size (bytes));
350 case PROP_PRIVATE_KEY_PEM:
351 string = g_value_get_string (value);
353 set_private_key_from_pem (gnutls, string);
357 gnutls->priv->issuer = g_value_dup_object (value);
361 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
366 g_tls_certificate_gnutls_init (GTlsCertificateGnutls *gnutls)
368 gnutls->priv = G_TYPE_INSTANCE_GET_PRIVATE (gnutls,
369 G_TYPE_TLS_CERTIFICATE_GNUTLS,
370 GTlsCertificateGnutlsPrivate);
372 gnutls_x509_crt_init (&gnutls->priv->cert);
376 g_tls_certificate_gnutls_initable_init (GInitable *initable,
377 GCancellable *cancellable,
380 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (initable);
382 if (gnutls->priv->construct_error)
384 g_propagate_error (error, gnutls->priv->construct_error);
385 gnutls->priv->construct_error = NULL;
388 else if (!gnutls->priv->have_cert)
390 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
391 _("No certificate data provided"));
398 static GTlsCertificateFlags
399 g_tls_certificate_gnutls_verify (GTlsCertificate *cert,
400 GSocketConnectable *identity,
401 GTlsCertificate *trusted_ca)
403 GTlsCertificateGnutls *cert_gnutls;
405 gnutls_x509_crt_t *chain;
406 GTlsCertificateFlags gtls_flags;
409 cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
410 for (num_certs = 0; cert_gnutls; cert_gnutls = cert_gnutls->priv->issuer)
412 chain = g_new (gnutls_x509_crt_t, num_certs);
413 cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
414 for (i = 0; cert_gnutls; cert_gnutls = cert_gnutls->priv->issuer, i++)
415 chain[i] = cert_gnutls->priv->cert;
419 gnutls_x509_crt_t ca;
423 ca = G_TLS_CERTIFICATE_GNUTLS (trusted_ca)->priv->cert;
424 status = gnutls_x509_crt_list_verify (chain, num_certs,
427 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
432 return G_TLS_CERTIFICATE_GENERIC_ERROR;
435 gtls_flags = g_tls_certificate_gnutls_convert_flags (gnutls_flags);
440 /* We have to check these ourselves since gnutls_x509_crt_list_verify
441 * won't bother if it gets an UNKNOWN_CA.
444 for (i = 0; i < num_certs; i++)
446 t = gnutls_x509_crt_get_activation_time (chain[i]);
447 if (t == (time_t) -1 || t > now)
448 gtls_flags |= G_TLS_CERTIFICATE_NOT_ACTIVATED;
450 t = gnutls_x509_crt_get_expiration_time (chain[i]);
451 if (t == (time_t) -1 || t < now)
452 gtls_flags |= G_TLS_CERTIFICATE_EXPIRED;
458 gtls_flags |= g_tls_certificate_gnutls_verify_identity (G_TLS_CERTIFICATE_GNUTLS (cert), identity);
464 g_tls_certificate_gnutls_real_copy (GTlsCertificateGnutls *gnutls,
465 const gchar *interaction_id,
468 gnutls_x509_crt_t cert;
472 gnutls_x509_crt_export (gnutls->priv->cert, GNUTLS_X509_FMT_DER,
474 data.data = g_malloc (size);
476 gnutls_x509_crt_export (gnutls->priv->cert, GNUTLS_X509_FMT_DER,
479 gnutls_x509_crt_init (&cert);
480 gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_DER);
484 st->cert.x509 = gnutls_malloc (sizeof (gnutls_x509_crt_t));
485 st->cert.x509[0] = cert;
487 if (gnutls->priv->key != NULL)
489 gnutls_x509_privkey_init (&st->key.x509);
490 gnutls_x509_privkey_cpy (st->key.x509, gnutls->priv->key);
491 st->key_type = GNUTLS_PRIVKEY_X509;
494 st->deinit_all = TRUE;
498 g_tls_certificate_gnutls_class_init (GTlsCertificateGnutlsClass *klass)
500 GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
501 GTlsCertificateClass *certificate_class = G_TLS_CERTIFICATE_CLASS (klass);
503 g_type_class_add_private (klass, sizeof (GTlsCertificateGnutlsPrivate));
505 gobject_class->get_property = g_tls_certificate_gnutls_get_property;
506 gobject_class->set_property = g_tls_certificate_gnutls_set_property;
507 gobject_class->finalize = g_tls_certificate_gnutls_finalize;
509 certificate_class->verify = g_tls_certificate_gnutls_verify;
511 klass->copy = g_tls_certificate_gnutls_real_copy;
513 g_object_class_override_property (gobject_class, PROP_CERTIFICATE, "certificate");
514 g_object_class_override_property (gobject_class, PROP_CERTIFICATE_BYTES, "certificate-bytes");
515 g_object_class_override_property (gobject_class, PROP_CERTIFICATE_PEM, "certificate-pem");
516 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY, "private-key");
517 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_BYTES, "private-key-bytes");
518 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PEM, "private-key-pem");
519 g_object_class_override_property (gobject_class, PROP_ISSUER, "issuer");
523 g_tls_certificate_gnutls_initable_iface_init (GInitableIface *iface)
525 iface->init = g_tls_certificate_gnutls_initable_init;
529 g_tls_certificate_gnutls_new (const gnutls_datum *datum,
530 GTlsCertificate *issuer)
532 GTlsCertificateGnutls *gnutls;
534 gnutls = g_object_new (G_TYPE_TLS_CERTIFICATE_GNUTLS,
537 g_tls_certificate_gnutls_set_data (gnutls, datum);
539 return G_TLS_CERTIFICATE (gnutls);
543 g_tls_certificate_gnutls_set_data (GTlsCertificateGnutls *gnutls,
544 const gnutls_datum *datum)
546 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
547 g_return_if_fail (!gnutls->priv->have_cert);
549 if (gnutls_x509_crt_import (gnutls->priv->cert, datum,
550 GNUTLS_X509_FMT_DER) == 0)
551 gnutls->priv->have_cert = TRUE;
554 const gnutls_x509_crt_t
555 g_tls_certificate_gnutls_get_cert (GTlsCertificateGnutls *gnutls)
557 return gnutls->priv->cert;
561 g_tls_certificate_gnutls_has_key (GTlsCertificateGnutls *gnutls)
563 return gnutls->priv->have_key;
567 g_tls_certificate_gnutls_copy (GTlsCertificateGnutls *gnutls,
568 const gchar *interaction_id,
571 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
572 g_return_if_fail (st != NULL);
573 g_return_if_fail (G_TLS_CERTIFICATE_GNUTLS_GET_CLASS (gnutls)->copy);
574 G_TLS_CERTIFICATE_GNUTLS_GET_CLASS (gnutls)->copy (gnutls, interaction_id, st);
577 static const struct {
579 GTlsCertificateFlags gtls_flag;
581 { GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_SIGNER_NOT_CA, G_TLS_CERTIFICATE_UNKNOWN_CA },
582 { GNUTLS_CERT_NOT_ACTIVATED, G_TLS_CERTIFICATE_NOT_ACTIVATED },
583 { GNUTLS_CERT_EXPIRED, G_TLS_CERTIFICATE_EXPIRED },
584 { GNUTLS_CERT_REVOKED, G_TLS_CERTIFICATE_REVOKED },
585 { GNUTLS_CERT_INSECURE_ALGORITHM, G_TLS_CERTIFICATE_INSECURE }
587 static const int flags_map_size = G_N_ELEMENTS (flags_map);
590 g_tls_certificate_gnutls_convert_flags (guint gnutls_flags)
593 GTlsCertificateFlags gtls_flags;
595 /* Convert GNUTLS status to GTlsCertificateFlags. GNUTLS sets
596 * GNUTLS_CERT_INVALID if it sets any other flag, so we want to
597 * strip that out unless it's the only flag set. Then we convert
598 * specific flags we recognize, and if there are any flags left over
599 * at the end, we add G_TLS_CERTIFICATE_GENERIC_ERROR.
603 if (gnutls_flags != GNUTLS_CERT_INVALID)
604 gnutls_flags = gnutls_flags & ~GNUTLS_CERT_INVALID;
605 for (i = 0; i < flags_map_size && gnutls_flags != 0; i++)
607 if (gnutls_flags & flags_map[i].gnutls_flag)
609 gnutls_flags &= ~flags_map[i].gnutls_flag;
610 gtls_flags |= flags_map[i].gtls_flag;
614 gtls_flags |= G_TLS_CERTIFICATE_GENERIC_ERROR;
620 g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
621 GSocketConnectable *identity)
623 const char *hostname;
625 if (G_IS_NETWORK_ADDRESS (identity))
626 hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
627 else if (G_IS_NETWORK_SERVICE (identity))
628 hostname = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
634 if (gnutls_x509_crt_check_hostname (gnutls->priv->cert, hostname))
638 /* FIXME: check sRVName and uniformResourceIdentifier
639 * subjectAltNames, if appropriate for @identity.
642 return G_TLS_CERTIFICATE_BAD_IDENTITY;
646 g_tls_certificate_gnutls_set_issuer (GTlsCertificateGnutls *gnutls,
647 GTlsCertificateGnutls *issuer)
649 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
650 g_return_if_fail (!issuer || G_IS_TLS_CERTIFICATE_GNUTLS (issuer));
653 g_object_ref (issuer);
654 if (gnutls->priv->issuer)
655 g_object_unref (gnutls->priv->issuer);
656 gnutls->priv->issuer = issuer;
657 g_object_notify (G_OBJECT (gnutls), "issuer");