1 /* GIO - GLib Input, Output and Streaming Library
3 * Copyright 2009 Red Hat, Inc
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2 of the License, or (at your option) any later version.
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
15 * You should have received a copy of the GNU Lesser General
16 * Public License along with this library; if not, see
17 * <http://www.gnu.org/licenses/>.
19 * In addition, when the library is used with OpenSSL, a special
20 * exception applies. Refer to the LICENSE_EXCEPTION file for details.
25 #include <gnutls/gnutls.h>
26 #include <gnutls/x509.h>
29 #include "gtlscertificate-gnutls.h"
30 #include <glib/gi18n-lib.h>
33 static void g_tls_certificate_gnutls_initable_iface_init (GInitableIface *iface);
35 G_DEFINE_TYPE_WITH_CODE (GTlsCertificateGnutls, g_tls_certificate_gnutls, G_TYPE_TLS_CERTIFICATE,
36 G_IMPLEMENT_INTERFACE (G_TYPE_INITABLE,
37 g_tls_certificate_gnutls_initable_iface_init);)
50 struct _GTlsCertificateGnutlsPrivate
52 gnutls_x509_crt_t cert;
53 gnutls_x509_privkey_t key;
55 GTlsCertificateGnutls *issuer;
57 GError *construct_error;
64 g_tls_certificate_gnutls_finalize (GObject *object)
66 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
68 gnutls_x509_crt_deinit (gnutls->priv->cert);
69 if (gnutls->priv->key)
70 gnutls_x509_privkey_deinit (gnutls->priv->key);
72 if (gnutls->priv->issuer)
73 g_object_unref (gnutls->priv->issuer);
75 g_clear_error (&gnutls->priv->construct_error);
77 G_OBJECT_CLASS (g_tls_certificate_gnutls_parent_class)->finalize (object);
81 g_tls_certificate_gnutls_get_property (GObject *object,
86 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
87 GByteArray *certificate;
88 char *certificate_pem;
94 case PROP_CERTIFICATE:
96 status = gnutls_x509_crt_export (gnutls->priv->cert,
99 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER)
103 certificate = g_byte_array_sized_new (size);
104 certificate->len = size;
105 status = gnutls_x509_crt_export (gnutls->priv->cert,
107 certificate->data, &size);
110 g_byte_array_free (certificate, TRUE);
114 g_value_take_boxed (value, certificate);
117 case PROP_CERTIFICATE_PEM:
119 status = gnutls_x509_crt_export (gnutls->priv->cert,
122 if (status != GNUTLS_E_SHORT_MEMORY_BUFFER)
123 certificate_pem = NULL;
126 certificate_pem = g_malloc (size);
127 status = gnutls_x509_crt_export (gnutls->priv->cert,
129 certificate_pem, &size);
132 g_free (certificate_pem);
133 certificate_pem = NULL;
136 g_value_take_string (value, certificate_pem);
140 g_value_set_object (value, gnutls->priv->issuer);
144 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
149 g_tls_certificate_gnutls_set_property (GObject *object,
154 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (object);
162 case PROP_CERTIFICATE:
163 bytes = g_value_get_boxed (value);
166 g_return_if_fail (gnutls->priv->have_cert == FALSE);
167 data.data = bytes->data;
168 data.size = bytes->len;
169 status = gnutls_x509_crt_import (gnutls->priv->cert, &data,
170 GNUTLS_X509_FMT_DER);
172 gnutls->priv->have_cert = TRUE;
173 else if (!gnutls->priv->construct_error)
175 gnutls->priv->construct_error =
176 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
177 _("Could not parse DER certificate: %s"),
178 gnutls_strerror (status));
183 case PROP_CERTIFICATE_PEM:
184 string = g_value_get_string (value);
187 g_return_if_fail (gnutls->priv->have_cert == FALSE);
188 data.data = (void *)string;
189 data.size = strlen (string);
190 status = gnutls_x509_crt_import (gnutls->priv->cert, &data,
191 GNUTLS_X509_FMT_PEM);
193 gnutls->priv->have_cert = TRUE;
194 else if (!gnutls->priv->construct_error)
196 gnutls->priv->construct_error =
197 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
198 _("Could not parse PEM certificate: %s"),
199 gnutls_strerror (status));
203 case PROP_PRIVATE_KEY:
204 bytes = g_value_get_boxed (value);
207 g_return_if_fail (gnutls->priv->have_key == FALSE);
208 data.data = bytes->data;
209 data.size = bytes->len;
210 if (!gnutls->priv->key)
211 gnutls_x509_privkey_init (&gnutls->priv->key);
212 status = gnutls_x509_privkey_import (gnutls->priv->key, &data,
213 GNUTLS_X509_FMT_DER);
217 gnutls_x509_privkey_import_pkcs8 (gnutls->priv->key, &data,
218 GNUTLS_X509_FMT_DER, NULL,
220 if (pkcs8_status == 0)
224 gnutls->priv->have_key = TRUE;
225 else if (!gnutls->priv->construct_error)
227 gnutls->priv->construct_error =
228 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
229 _("Could not parse DER private key: %s"),
230 gnutls_strerror (status));
234 case PROP_PRIVATE_KEY_PEM:
235 string = g_value_get_string (value);
238 g_return_if_fail (gnutls->priv->have_key == FALSE);
239 data.data = (void *)string;
240 data.size = strlen (string);
241 if (!gnutls->priv->key)
242 gnutls_x509_privkey_init (&gnutls->priv->key);
243 status = gnutls_x509_privkey_import (gnutls->priv->key, &data,
244 GNUTLS_X509_FMT_PEM);
248 gnutls_x509_privkey_import_pkcs8 (gnutls->priv->key, &data,
249 GNUTLS_X509_FMT_PEM, NULL,
251 if (pkcs8_status == 0)
255 gnutls->priv->have_key = TRUE;
256 else if (!gnutls->priv->construct_error)
258 gnutls->priv->construct_error =
259 g_error_new (G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
260 _("Could not parse PEM private key: %s"),
261 gnutls_strerror (status));
266 gnutls->priv->issuer = g_value_dup_object (value);
270 G_OBJECT_WARN_INVALID_PROPERTY_ID (object, prop_id, pspec);
274 #if ENABLE(TIZEN_TV_ADJUST_TIME)
275 extern double soupTimeOffset;
278 correct_time_func(time_t *t)
280 return time(NULL) + (time_t)(soupTimeOffset / 1000);
285 g_tls_certificate_gnutls_init (GTlsCertificateGnutls *gnutls)
287 gnutls->priv = G_TYPE_INSTANCE_GET_PRIVATE (gnutls,
288 G_TYPE_TLS_CERTIFICATE_GNUTLS,
289 GTlsCertificateGnutlsPrivate);
291 gnutls_x509_crt_init (&gnutls->priv->cert);
292 #if ENABLE(TIZEN_TV_ADJUST_TIME)
293 gnutls_global_set_time_function(correct_time_func);
298 g_tls_certificate_gnutls_initable_init (GInitable *initable,
299 GCancellable *cancellable,
302 GTlsCertificateGnutls *gnutls = G_TLS_CERTIFICATE_GNUTLS (initable);
304 if (gnutls->priv->construct_error)
306 g_propagate_error (error, gnutls->priv->construct_error);
307 gnutls->priv->construct_error = NULL;
310 else if (!gnutls->priv->have_cert)
312 g_set_error_literal (error, G_TLS_ERROR, G_TLS_ERROR_BAD_CERTIFICATE,
313 _("No certificate data provided"));
320 static GTlsCertificateFlags
321 g_tls_certificate_gnutls_verify (GTlsCertificate *cert,
322 GSocketConnectable *identity,
323 GTlsCertificate *trusted_ca)
325 GTlsCertificateGnutls *cert_gnutls;
327 gnutls_x509_crt_t *chain;
328 GTlsCertificateFlags gtls_flags;
330 #if ENABLE(TIZEN_TV_ADJUST_TIME) && ENABLE(TIZEN_DLOG)
334 cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
335 for (num_certs = 0; cert_gnutls; cert_gnutls = cert_gnutls->priv->issuer)
337 chain = g_new (gnutls_x509_crt_t, num_certs);
338 cert_gnutls = G_TLS_CERTIFICATE_GNUTLS (cert);
339 for (i = 0; cert_gnutls; cert_gnutls = cert_gnutls->priv->issuer, i++)
340 chain[i] = cert_gnutls->priv->cert;
344 gnutls_x509_crt_t ca;
348 ca = G_TLS_CERTIFICATE_GNUTLS (trusted_ca)->priv->cert;
349 status = gnutls_x509_crt_list_verify (chain, num_certs,
352 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT,
357 return G_TLS_CERTIFICATE_GENERIC_ERROR;
360 gtls_flags = g_tls_certificate_gnutls_convert_flags (gnutls_flags);
365 /* We have to check these ourselves since gnutls_x509_crt_list_verify
366 * won't bother if it gets an UNKNOWN_CA.
369 #if ENABLE(TIZEN_TV_ADJUST_TIME)
370 now = time (NULL) + (time_t)(soupTimeOffset / 1000);
372 for (i = 0; i < num_certs; i++)
374 t = gnutls_x509_crt_get_activation_time (chain[i]);
376 #if ENABLE(TIZEN_TV_ADJUST_TIME) && ENABLE(TIZEN_DLOG)
377 ctime_r(&now, timebuf);
378 TIZEN_LOGI("[Certificate] TV borad time is: %s", timebuf);
379 if (t != (time_t) -1) {
380 ctime_r(&t, timebuf);
381 TIZEN_LOGI("[Certificate] CA activation time is: %s", timebuf);
384 TIZEN_LOGI("[Certificate] gnutls_x509_crt_get_activation_time ERROR");
387 if (t == (time_t) -1 || t > now)
388 gtls_flags |= G_TLS_CERTIFICATE_NOT_ACTIVATED;
390 t = gnutls_x509_crt_get_expiration_time (chain[i]);
392 #if ENABLE(TIZEN_TV_ADJUST_TIME) && ENABLE(TIZEN_DLOG)
393 if (t != (time_t) -1) {
394 ctime_r(&t, timebuf);
395 TIZEN_LOGI("[Certificate] CA expiration time is: %s", timebuf);
398 TIZEN_LOGI("[Certificate] gnutls_x509_crt_get_expiration_time ERROR");
401 if (t == (time_t) -1 || t < now)
402 gtls_flags |= G_TLS_CERTIFICATE_EXPIRED;
408 gtls_flags |= g_tls_certificate_gnutls_verify_identity (G_TLS_CERTIFICATE_GNUTLS (cert), identity);
414 g_tls_certificate_gnutls_real_copy (GTlsCertificateGnutls *gnutls,
415 const gchar *interaction_id,
418 GTlsCertificateGnutls *chain;
419 gnutls_x509_crt_t cert;
425 /* We will do this loop twice. It's probably more efficient than
426 * re-allocating memory.
429 while (chain != NULL)
432 chain = chain->priv->issuer;
436 st->cert.x509 = gnutls_malloc (sizeof (gnutls_x509_crt_t) * num_certs);
438 /* Now do the actual copy of the whole chain. */
440 while (chain != NULL)
442 gnutls_x509_crt_export (chain->priv->cert, GNUTLS_X509_FMT_DER,
444 data.data = g_malloc (size);
446 gnutls_x509_crt_export (chain->priv->cert, GNUTLS_X509_FMT_DER,
449 gnutls_x509_crt_init (&cert);
450 status = gnutls_x509_crt_import (cert, &data, GNUTLS_X509_FMT_DER);
451 g_warn_if_fail (status == 0);
454 st->cert.x509[st->ncerts] = cert;
457 chain = chain->priv->issuer;
460 if (gnutls->priv->key != NULL)
462 gnutls_x509_privkey_init (&st->key.x509);
463 gnutls_x509_privkey_cpy (st->key.x509, gnutls->priv->key);
464 st->key_type = GNUTLS_PRIVKEY_X509;
467 st->deinit_all = TRUE;
471 g_tls_certificate_gnutls_class_init (GTlsCertificateGnutlsClass *klass)
473 GObjectClass *gobject_class = G_OBJECT_CLASS (klass);
474 GTlsCertificateClass *certificate_class = G_TLS_CERTIFICATE_CLASS (klass);
476 g_type_class_add_private (klass, sizeof (GTlsCertificateGnutlsPrivate));
478 gobject_class->get_property = g_tls_certificate_gnutls_get_property;
479 gobject_class->set_property = g_tls_certificate_gnutls_set_property;
480 gobject_class->finalize = g_tls_certificate_gnutls_finalize;
482 certificate_class->verify = g_tls_certificate_gnutls_verify;
484 klass->copy = g_tls_certificate_gnutls_real_copy;
486 g_object_class_override_property (gobject_class, PROP_CERTIFICATE, "certificate");
487 g_object_class_override_property (gobject_class, PROP_CERTIFICATE_PEM, "certificate-pem");
488 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY, "private-key");
489 g_object_class_override_property (gobject_class, PROP_PRIVATE_KEY_PEM, "private-key-pem");
490 g_object_class_override_property (gobject_class, PROP_ISSUER, "issuer");
494 g_tls_certificate_gnutls_initable_iface_init (GInitableIface *iface)
496 iface->init = g_tls_certificate_gnutls_initable_init;
500 g_tls_certificate_gnutls_new (const gnutls_datum_t *datum,
501 GTlsCertificate *issuer)
503 GTlsCertificateGnutls *gnutls;
505 gnutls = g_object_new (G_TYPE_TLS_CERTIFICATE_GNUTLS,
508 g_tls_certificate_gnutls_set_data (gnutls, datum);
510 return G_TLS_CERTIFICATE (gnutls);
514 g_tls_certificate_gnutls_set_data (GTlsCertificateGnutls *gnutls,
515 const gnutls_datum_t *datum)
517 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
518 g_return_if_fail (!gnutls->priv->have_cert);
520 if (gnutls_x509_crt_import (gnutls->priv->cert, datum,
521 GNUTLS_X509_FMT_DER) == 0)
522 gnutls->priv->have_cert = TRUE;
525 const gnutls_x509_crt_t
526 g_tls_certificate_gnutls_get_cert (GTlsCertificateGnutls *gnutls)
528 return gnutls->priv->cert;
532 g_tls_certificate_gnutls_has_key (GTlsCertificateGnutls *gnutls)
534 return gnutls->priv->have_key;
538 g_tls_certificate_gnutls_copy (GTlsCertificateGnutls *gnutls,
539 const gchar *interaction_id,
542 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
543 g_return_if_fail (st != NULL);
544 g_return_if_fail (G_TLS_CERTIFICATE_GNUTLS_GET_CLASS (gnutls)->copy);
545 G_TLS_CERTIFICATE_GNUTLS_GET_CLASS (gnutls)->copy (gnutls, interaction_id, st);
548 static const struct {
550 GTlsCertificateFlags gtls_flag;
552 { GNUTLS_CERT_SIGNER_NOT_FOUND | GNUTLS_CERT_SIGNER_NOT_CA, G_TLS_CERTIFICATE_UNKNOWN_CA },
553 { GNUTLS_CERT_NOT_ACTIVATED, G_TLS_CERTIFICATE_NOT_ACTIVATED },
554 { GNUTLS_CERT_EXPIRED, G_TLS_CERTIFICATE_EXPIRED },
555 { GNUTLS_CERT_REVOKED, G_TLS_CERTIFICATE_REVOKED },
556 { GNUTLS_CERT_INSECURE_ALGORITHM, G_TLS_CERTIFICATE_INSECURE },
557 { GNUTLS_CERT_UNEXPECTED_OWNER, G_TLS_CERTIFICATE_BAD_IDENTITY }
559 static const int flags_map_size = G_N_ELEMENTS (flags_map);
562 g_tls_certificate_gnutls_convert_flags (guint gnutls_flags)
565 GTlsCertificateFlags gtls_flags;
567 /* Convert GNUTLS status to GTlsCertificateFlags. GNUTLS sets
568 * GNUTLS_CERT_INVALID if it sets any other flag, so we want to
569 * strip that out unless it's the only flag set. Then we convert
570 * specific flags we recognize, and if there are any flags left over
571 * at the end, we add G_TLS_CERTIFICATE_GENERIC_ERROR.
575 if (gnutls_flags != GNUTLS_CERT_INVALID)
576 gnutls_flags = gnutls_flags & ~GNUTLS_CERT_INVALID;
577 for (i = 0; i < flags_map_size && gnutls_flags != 0; i++)
579 if (gnutls_flags & flags_map[i].gnutls_flag)
581 gnutls_flags &= ~flags_map[i].gnutls_flag;
582 gtls_flags |= flags_map[i].gtls_flag;
586 gtls_flags |= G_TLS_CERTIFICATE_GENERIC_ERROR;
592 verify_identity_hostname (GTlsCertificateGnutls *gnutls,
593 GSocketConnectable *identity)
595 const char *hostname;
597 if (G_IS_NETWORK_ADDRESS (identity))
598 hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
599 else if (G_IS_NETWORK_SERVICE (identity))
600 hostname = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
604 return gnutls_x509_crt_check_hostname (gnutls->priv->cert, hostname);
608 verify_identity_ip (GTlsCertificateGnutls *gnutls,
609 GSocketConnectable *identity)
614 const guint8 *addr_bytes;
616 if (G_IS_INET_SOCKET_ADDRESS (identity))
617 addr = g_object_ref (g_inet_socket_address_get_address (G_INET_SOCKET_ADDRESS (identity)));
619 const char *hostname;
621 if (G_IS_NETWORK_ADDRESS (identity))
622 hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
623 else if (G_IS_NETWORK_SERVICE (identity))
624 hostname = g_network_service_get_domain (G_NETWORK_SERVICE (identity));
628 addr = g_inet_address_new_from_string (hostname);
633 addr_bytes = g_inet_address_to_bytes (addr);
634 addr_size = g_inet_address_get_native_size (addr);
636 for (i = 0; ret >= 0; i++)
641 san_size = sizeof (san);
642 ret = gnutls_x509_crt_get_subject_alt_name (gnutls->priv->cert, i,
643 san, &san_size, NULL);
645 if ((ret == GNUTLS_SAN_IPADDRESS) && (addr_size == san_size))
647 if (memcmp (addr_bytes, san, addr_size) == 0)
649 g_object_unref (addr);
655 g_object_unref (addr);
660 g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
661 GSocketConnectable *identity)
663 if (verify_identity_hostname (gnutls, identity))
665 else if (verify_identity_ip (gnutls, identity))
668 /* FIXME: check sRVName and uniformResourceIdentifier
669 * subjectAltNames, if appropriate for @identity.
671 #if ENABLE(TIZEN_DLOG)
672 TIZEN_LOGI("[Network] SSL HandShake - Bad Identity");
675 return G_TLS_CERTIFICATE_BAD_IDENTITY;
679 g_tls_certificate_gnutls_set_issuer (GTlsCertificateGnutls *gnutls,
680 GTlsCertificateGnutls *issuer)
682 g_return_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls));
683 g_return_if_fail (!issuer || G_IS_TLS_CERTIFICATE_GNUTLS (issuer));
686 g_object_ref (issuer);
687 if (gnutls->priv->issuer)
688 g_object_unref (gnutls->priv->issuer);
689 gnutls->priv->issuer = issuer;
690 g_object_notify (G_OBJECT (gnutls), "issuer");
694 g_tls_certificate_gnutls_get_bytes (GTlsCertificateGnutls *gnutls)
698 g_return_val_if_fail (G_IS_TLS_CERTIFICATE_GNUTLS (gnutls), NULL);
700 g_object_get (gnutls, "certificate", &array, NULL);
701 return g_byte_array_free_to_bytes (array);
704 static gnutls_x509_crt_t *
705 convert_data_to_gnutls_certs (const gnutls_datum_t *certs,
707 gnutls_x509_crt_fmt_t format)
709 gnutls_x509_crt_t *gnutls_certs;
712 gnutls_certs = g_new (gnutls_x509_crt_t, num_certs);
714 for (i = 0; i < num_certs; i++)
716 if (gnutls_x509_crt_init (&gnutls_certs[i]) < 0)
723 for (i = 0; i < num_certs; i++)
725 if (gnutls_x509_crt_import (gnutls_certs[i], &certs[i], format) < 0)
735 for (; i != G_MAXUINT; i--)
736 gnutls_x509_crt_deinit (gnutls_certs[i]);
737 g_free (gnutls_certs);
741 GTlsCertificateGnutls *
742 g_tls_certificate_gnutls_build_chain (const gnutls_datum_t *certs,
744 gnutls_x509_crt_fmt_t format)
746 GPtrArray *glib_certs;
747 gnutls_x509_crt_t *gnutls_certs;
748 GTlsCertificateGnutls *issuer;
749 GTlsCertificateGnutls *result;
752 g_return_val_if_fail (certs, NULL);
754 gnutls_certs = convert_data_to_gnutls_certs (certs, num_certs, format);
758 glib_certs = g_ptr_array_new_full (num_certs, g_object_unref);
759 for (i = 0; i < num_certs; i++)
760 g_ptr_array_add (glib_certs, g_tls_certificate_gnutls_new (&certs[i], NULL));
762 /* Some servers send certs out of order, or will send duplicate
763 * certs, so we need to be careful when assigning the issuer of
764 * our new GTlsCertificateGnutls.
766 for (i = 0; i < num_certs; i++)
770 /* Check if the cert issued itself */
771 if (gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[i]))
774 if (i < num_certs - 1 &&
775 gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[i + 1]))
777 issuer = glib_certs->pdata[i + 1];
781 for (j = 0; j < num_certs; j++)
784 gnutls_x509_crt_check_issuer (gnutls_certs[i], gnutls_certs[j]))
786 issuer = glib_certs->pdata[j];
793 g_tls_certificate_gnutls_set_issuer (glib_certs->pdata[i], issuer);
796 result = g_object_ref (glib_certs->pdata[0]);
797 g_ptr_array_unref (glib_certs);
799 for (i = 0; i < num_certs; i++)
800 gnutls_x509_crt_deinit (gnutls_certs[i]);
801 g_free (gnutls_certs);