1 /* GIO - GLib Input, Output and Streaming Library
3 * Copyright 2009 Red Hat, Inc
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2 of the License, or (at your option) any later version.
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General
16 * Public License along with this library; if not, see
17 * <http://www.gnu.org/licenses/>.
22 #include <gnutls/gnutls.h>
23 #include <gnutls/x509.h>
26 #include "gtlscertificate-gnutls.h"
27 #include <glib/gi18n-lib.h>
30 static void g_tls_certificate_gnutls_initable_iface_init (GInitableIface *iface);
32 G_DEFINE_TYPE_WITH_CODE (GTlsCertificateGnutls, g_tls_certificate_gnutls, G_TYPE_TLS_CERTIFICATE,
33 G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
34 g_tls_certificate_gnutls_initable_iface_init);)
47 struct _GTlsCertificateGnutlsPrivate
49 gnutls_x509_crt_t cert;
50 gnutls_x509_privkey_t key;
52 GTlsCertificateGnutls *issuer;
54 GError *construct_error;
61 g_tls_certificate_gnutls_finalize (GObject *object)
63 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
65 gnutls_x509_crt_deinit (gnutls->priv->cert);
66 if (gnutls->priv->key)
67 gnutls_x509_privkey_deinit (gnutls->priv->key);
69 if (gnutls->priv->issuer)
70 g_object_unref (gnutls->priv->issuer);
72 g_clear_error (&gnutls->priv->construct_error);
74 G_OBJECT_CLASS (g_tls_certificate_gnutls_parent_class)->finalize (object);
78 g_tls_certificate_gnutls_get_property (GObject *object,
83 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
84 GByteArray *certificate;
85 char *certificate_pem;
91 case PROP_CERTIFICATE:
93 status = gnutls_x509_crt_export (gnutls->priv->cert,
96 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER)
100 certificate = g_byte_array_sized_new (size);
101 certificate->len = size;
102 status = gnutls_x509_crt_export (gnutls->priv->cert,
104 certificate->data, &size);
107 g_byte_array_free (certificate, TRUE);
111 g_value_take_boxed (value, certificate);
114 case PROP_CERTIFICATE_PEM:
116 status = gnutls_x509_crt_export (gnutls->priv->cert,
119 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER)
120 certificate_pem = NULL;
123 certificate_pem = g_malloc (size);
124 status = gnutls_x509_crt_export (gnutls->priv->cert,
126 certificate_pem, &size);
129 g_free (certificate_pem);
130 certificate_pem = NULL;
133 g_value_take_string (value, certificate_pem);
137 g_value_set_object (value, gnutls->priv->issuer);
141 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
146 g_tls_certificate_gnutls_set_property (GObject *object,
151 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
159 case PROP_CERTIFICATE:
160 bytes = g_value_get_boxed (value);
163 g_return_if_fail (gnutls->priv->have_cert == FALSE);
164 data.data = bytes->data;
165 data.size = bytes->len;
166 status = gnutls_x509_crt_import (gnutls->priv->cert, &data,
167 GNUTLS_X509_FMT_DER);
169 gnutls->priv->have_cert = TRUE;
170 else if (!gnutls->priv->construct_error)
172 gnutls->priv->construct_error =
173 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
174 _("Could not parse DER certificate: %s"),
175 gnutls_strerror (status));
180 case PROP_CERTIFICATE_PEM:
181 string = g_value_get_string (value);
184 g_return_if_fail (gnutls->priv->have_cert == FALSE);
185 data.data = (void *)string;
186 data.size = strlen (string);
187 status = gnutls_x509_crt_import (gnutls->priv->cert, &data,
188 GNUTLS_X509_FMT_PEM);
190 gnutls->priv->have_cert = TRUE;
191 else if (!gnutls->priv->construct_error)
193 gnutls->priv->construct_error =
194 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
195 _("Could not parse PEM certificate: %s"),
196 gnutls_strerror (status));
200 case PROP_PRIVATE_KEY:
201 bytes = g_value_get_boxed (value);
204 g_return_if_fail (gnutls->priv->have_key == FALSE);
205 data.data = bytes->data;
206 data.size = bytes->len;
207 if (!gnutls->priv->key)
208 gnutls_x509_privkey_init (&gnutls->priv->key);
209 status = gnutls_x509_privkey_import (gnutls->priv->key, &data,
210 GNUTLS_X509_FMT_DER);
214 gnutls_x509_privkey_import_pkcs8 (gnutls->priv->key, &data,
215 GNUTLS_X509_FMT_DER, NULL,
217 if (pkcs8_status == 0)
221 gnutls->priv->have_key = TRUE;
222 else if (!gnutls->priv->construct_error)
224 gnutls->priv->construct_error =
225 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
226 _("Could not parse DER private key: %s"),
227 gnutls_strerror (status));
231 case PROP_PRIVATE_KEY_PEM:
232 string = g_value_get_string (value);
235 g_return_if_fail (gnutls->priv->have_key == FALSE);
236 data.data = (void *)string;
237 data.size = strlen (string);
238 if (!gnutls->priv->key)
239 gnutls_x509_privkey_init (&gnutls->priv->key);
240 status = gnutls_x509_privkey_import (gnutls->priv->key, &data,
241 GNUTLS_X509_FMT_PEM);
245 gnutls_x509_privkey_import_pkcs8 (gnutls->priv->key, &data,
246 GNUTLS_X509_FMT_PEM, NULL,
248 if (pkcs8_status == 0)
252 gnutls->priv->have_key = TRUE;
253 else if (!gnutls->priv->construct_error)
255 gnutls->priv->construct_error =
256 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
257 _("Could not parse PEM private key: %s"),
258 gnutls_strerror (status));
263 gnutls->priv->issuer = g_value_dup_object (value);
267 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
271 #if ENABLE(TIZEN_TV_ADJUST_TIME)
272 extern double soupTimeOffset;
275 correct_time_func(time_t *t)
277 return time(NULL) + (time_t)(soupTimeOffset / 1000);
282 g_tls_certificate_gnutls_init (GTlsCertificateGnutls *gnutls)
284 gnutls->priv = G_TYPE_INSTANCE_GET_PRIVATE (gnutls,
285 G_TYPE_TLS_CERTIFICATE_GNUTLS,
286 GTlsCertificateGnutlsPrivate);
288 gnutls_x509_crt_init (&gnutls->priv->cert);
289 #if ENABLE(TIZEN_TV_ADJUST_TIME)
290 gnutls_global_set_time_function(correct_time_func);
295 g_tls_certificate_gnutls_initable_init (GInitable *initable,
296 GCancellable *cancellable,
299 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (initable);
301 if (gnutls->priv->construct_error)
303 g_propagate_error (error, gnutls->priv->construct_error);
304 gnutls->priv->construct_error = NULL;
307 else if (!gnutls->priv->have_cert)
309 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
310 _("No certificate data provided"));
317 static GTlsCertificateFlags
318 g_tls_certificate_gnutls_verify (GTlsCertificate *cert,
319 GSocketConnectable *identity,
320 GTlsCertificate *trusted_ca)
322 GTlsCertificateGnutls *cert_gnutls;
324 gnutls_x509_crt_t *chain;
325 GTlsCertificateFlags gtls_flags;
327 #if ENABLE(TIZEN_TV_DLOG)
332 cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
333 for (num_certs = 0; cert_gnutls; cert_gnutls = cert_gnutls->priv->issuer)
335 chain = g_new (gnutls_x509_crt_t, num_certs);
336 cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
337 for (i = 0; cert_gnutls; cert_gnutls = cert_gnutls->priv->issuer, i++)
338 chain[i] = cert_gnutls->priv->cert;
342 gnutls_x509_crt_t ca;
346 ca = G_TLS_CERTIFICATE_GNUTLS (trusted_ca)->priv->cert;
347 status = gnutls_x509_crt_list_verify (chain, num_certs,
350 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
355 return G_TLS_CERTIFICATE_GENERIC_ERROR;
358 gtls_flags = g_tls_certificate_gnutls_convert_flags (gnutls_flags);
363 /* We have to check these ourselves since gnutls_x509_crt_list_verify
364 * won't bother if it gets an UNKNOWN_CA.
367 #if ENABLE(TIZEN_TV_ADJUST_TIME)
368 now = time (NULL) + (time_t)(soupTimeOffset / 1000);
370 for (i = 0; i < num_certs; i++)
372 t = gnutls_x509_crt_get_activation_time (chain[i]);
374 #if ENABLE(TIZEN_TV_DLOG)
375 ctime_r(&now, timebuf);
376 TIZEN_LOGI("[Certificate] TV borad time is: %s", timebuf);
377 if (t != (time_t) -1) {
378 ctime_r(&t, timebuf);
379 TIZEN_LOGI("[Certificate] CA activation time is: %s", timebuf);
382 TIZEN_LOGI("[Certificate] gnutls_x509_crt_get_activation_time ERROR");
385 if (t == (time_t) -1 || t > now)
386 gtls_flags |= G_TLS_CERTIFICATE_NOT_ACTIVATED;
388 t = gnutls_x509_crt_get_expiration_time (chain[i]);
390 #if ENABLE(TIZEN_TV_DLOG)
391 if (t != (time_t) -1) {
392 ctime_r(&t, timebuf);
393 TIZEN_LOGI("[Certificate] CA expiration time is: %s", timebuf);
396 TIZEN_LOGI("[Certificate] gnutls_x509_crt_get_expiration_time ERROR");
399 if (t == (time_t) -1 || t < now)
400 gtls_flags |= G_TLS_CERTIFICATE_EXPIRED;
406 gtls_flags |= g_tls_certificate_gnutls_verify_identity (G_TLS_CERTIFICATE_GNUTLS (cert), identity);
412 g_tls_certificate_gnutls_real_copy (GTlsCertificateGnutls *gnutls,
413 const gchar *interaction_id,
416 GTlsCertificateGnutls *chain;
417 gnutls_x509_crt_t cert;
422 /* We will do this loop twice. It's probably more efficient than
423 * re-allocating memory.
426 while (chain != NULL)
429 chain = chain->priv->issuer;
433 st->cert.x509 = gnutls_malloc (sizeof (gnutls_x509_crt_t) * num_certs);
435 /* Now do the actual copy of the whole chain. */
437 while (chain != NULL)
439 gnutls_x509_crt_export (chain->priv->cert, GNUTLS_X509_FMT_DER,
441 data.data = g_malloc (size);
443 gnutls_x509_crt_export (chain->priv->cert, GNUTLS_X509_FMT_DER,
446 gnutls_x509_crt_init (&cert);
447 gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_DER);
450 st->cert.x509[st->ncerts] = cert;
453 chain = chain->priv->issuer;
456 if (gnutls->priv->key != NULL)
458 gnutls_x509_privkey_init (&st->key.x509);
459 gnutls_x509_privkey_cpy (st->key.x509, gnutls->priv->key);
460 st->key_type = GNUTLS_PRIVKEY_X509;
463 st->deinit_all = TRUE;
467 g_tls_certificate_gnutls_class_init (GTlsCertificateGnutlsClass *klass)
469 GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
470 GTlsCertificateClass *certificate_class = G_TLS_CERTIFICATE_CLASS (klass);
472 g_type_class_add_private (klass, sizeof (GTlsCertificateGnutlsPrivate));
474 gobject_class->get_property = g_tls_certificate_gnutls_get_property;
475 gobject_class->set_property = g_tls_certificate_gnutls_set_property;
476 gobject_class->finalize = g_tls_certificate_gnutls_finalize;
478 certificate_class->verify = g_tls_certificate_gnutls_verify;
480 klass->copy = g_tls_certificate_gnutls_real_copy;
482 g_object_class_override_property (gobject_class, PROP_CERTIFICATE, "certificate");
483 g_object_class_override_property (gobject_class, PROP_CERTIFICATE_PEM, "certificate-pem");
484 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY, "private-key");
485 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PEM, "private-key-pem");
486 g_object_class_override_property (gobject_class, PROP_ISSUER, "issuer");
490 g_tls_certificate_gnutls_initable_iface_init (GInitableIface *iface)
492 iface->init = g_tls_certificate_gnutls_initable_init;
496 g_tls_certificate_gnutls_new (const gnutls_datum_t *datum,
497 GTlsCertificate *issuer)
499 GTlsCertificateGnutls *gnutls;
501 gnutls = g_object_new (G_TYPE_TLS_CERTIFICATE_GNUTLS,
504 g_tls_certificate_gnutls_set_data (gnutls, datum);
506 return G_TLS_CERTIFICATE (gnutls);
510 g_tls_certificate_gnutls_set_data (GTlsCertificateGnutls *gnutls,
511 const gnutls_datum_t *datum)
513 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
514 g_return_if_fail (!gnutls->priv->have_cert);
516 if (gnutls_x509_crt_import (gnutls->priv->cert, datum,
517 GNUTLS_X509_FMT_DER) == 0)
518 gnutls->priv->have_cert = TRUE;
521 const gnutls_x509_crt_t
522 g_tls_certificate_gnutls_get_cert (GTlsCertificateGnutls *gnutls)
524 return gnutls->priv->cert;
528 g_tls_certificate_gnutls_has_key (GTlsCertificateGnutls *gnutls)
530 return gnutls->priv->have_key;
534 g_tls_certificate_gnutls_copy (GTlsCertificateGnutls *gnutls,
535 const gchar *interaction_id,
538 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
539 g_return_if_fail (st != NULL);
540 g_return_if_fail (G_TLS_CERTIFICATE_GNUTLS_GET_CLASS (gnutls)->copy);
541 G_TLS_CERTIFICATE_GNUTLS_GET_CLASS (gnutls)->copy (gnutls, interaction_id, st);
544 static const struct {
546 GTlsCertificateFlags gtls_flag;
548 { GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_SIGNER_NOT_CA, G_TLS_CERTIFICATE_UNKNOWN_CA },
549 { GNUTLS_CERT_NOT_ACTIVATED, G_TLS_CERTIFICATE_NOT_ACTIVATED },
550 { GNUTLS_CERT_EXPIRED, G_TLS_CERTIFICATE_EXPIRED },
551 { GNUTLS_CERT_REVOKED, G_TLS_CERTIFICATE_REVOKED },
552 { GNUTLS_CERT_INSECURE_ALGORITHM, G_TLS_CERTIFICATE_INSECURE }
554 static const int flags_map_size = G_N_ELEMENTS (flags_map);
557 g_tls_certificate_gnutls_convert_flags (guint gnutls_flags)
560 GTlsCertificateFlags gtls_flags;
562 /* Convert GNUTLS status to GTlsCertificateFlags. GNUTLS sets
563 * GNUTLS_CERT_INVALID if it sets any other flag, so we want to
564 * strip that out unless it's the only flag set. Then we convert
565 * specific flags we recognize, and if there are any flags left over
566 * at the end, we add G_TLS_CERTIFICATE_GENERIC_ERROR.
570 if (gnutls_flags != GNUTLS_CERT_INVALID)
571 gnutls_flags = gnutls_flags & ~GNUTLS_CERT_INVALID;
572 for (i = 0; i < flags_map_size && gnutls_flags != 0; i++)
574 if (gnutls_flags & flags_map[i].gnutls_flag)
576 gnutls_flags &= ~flags_map[i].gnutls_flag;
577 gtls_flags |= flags_map[i].gtls_flag;
581 gtls_flags |= G_TLS_CERTIFICATE_GENERIC_ERROR;
587 g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
588 GSocketConnectable *identity)
590 const char *hostname;
592 if (G_IS_NETWORK_ADDRESS (identity))
593 hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
594 else if (G_IS_NETWORK_SERVICE (identity))
595 hostname = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
601 if (gnutls_x509_crt_check_hostname (gnutls->priv->cert, hostname))
605 /* FIXME: check sRVName and uniformResourceIdentifier
606 * subjectAltNames, if appropriate for @identity.
608 #if ENABLE(TIZEN_TV_DLOG)
609 TIZEN_LOGI("[Network] SSL HandShake - Bad Identity");
612 return G_TLS_CERTIFICATE_BAD_IDENTITY;
616 g_tls_certificate_gnutls_set_issuer (GTlsCertificateGnutls *gnutls,
617 GTlsCertificateGnutls *issuer)
619 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
620 g_return_if_fail (!issuer || G_IS_TLS_CERTIFICATE_GNUTLS (issuer));
623 g_object_ref (issuer);
624 if (gnutls->priv->issuer)
625 g_object_unref (gnutls->priv->issuer);
626 gnutls->priv->issuer = issuer;
627 g_object_notify (G_OBJECT (gnutls), "issuer");
631 g_tls_certificate_gnutls_get_bytes (GTlsCertificateGnutls *gnutls)
635 g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls), NULL);
637 g_object_get (gnutls, "certificate", &array, NULL);
638 return g_byte_array_free_to_bytes (array);
641 static gnutls_x509_crt_t *
642 convert_data_to_gnutls_certs (const gnutls_datum_t *certs,
644 gnutls_x509_crt_fmt_t format)
646 gnutls_x509_crt_t *gnutls_certs;
649 gnutls_certs = g_new (gnutls_x509_crt_t, num_certs);
651 for (i = 0; i < num_certs; i++)
653 if (gnutls_x509_crt_init (&gnutls_certs[i]) < 0)
660 for (i = 0; i < num_certs; i++)
662 if (gnutls_x509_crt_import (gnutls_certs[i], &certs[i], format) < 0)
672 for (; i != G_MAXUINT; i--)
673 gnutls_x509_crt_deinit (gnutls_certs[i]);
674 g_free (gnutls_certs);
678 GTlsCertificateGnutls *
679 g_tls_certificate_gnutls_build_chain (const gnutls_datum_t *certs,
681 gnutls_x509_crt_fmt_t format)
683 GPtrArray *glib_certs;
684 gnutls_x509_crt_t *gnutls_certs;
685 GTlsCertificateGnutls *issuer;
686 GTlsCertificateGnutls *result;
689 g_return_val_if_fail (certs, NULL);
691 gnutls_certs = convert_data_to_gnutls_certs (certs, num_certs, format);
695 glib_certs = g_ptr_array_new_full (num_certs, g_object_unref);
696 for (i = 0; i < num_certs; i++)
697 g_ptr_array_add (glib_certs, g_tls_certificate_gnutls_new (&certs[i], NULL));
699 /* Some servers send certs out of order, or will send duplicate
700 * certs, so we need to be careful when assigning the issuer of
701 * our new GTlsCertificateGnutls.
703 for (i = 0; i < num_certs; i++)
707 if (i < num_certs - 1 &&
708 gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[i + 1]))
710 issuer = glib_certs->pdata[i + 1];
714 for (j = 0; j < num_certs; j++)
717 gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[j]))
719 issuer = glib_certs->pdata[j];
726 g_tls_certificate_gnutls_set_issuer (glib_certs->pdata[i], issuer);
729 result = g_object_ref (glib_certs->pdata[0]);
730 g_ptr_array_unref (glib_certs);
732 for (i = 0; i < num_certs; i++)
733 gnutls_x509_crt_deinit (gnutls_certs[i]);
734 g_free (gnutls_certs);