pcert: added functionality to retrieve lists

That introduces gnutls_pcert_list_import_x509_file() and
gnutls_x509_crt_list_import_url().

Resolves #373

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

8 files changed, 248 insertions, 31 deletions

diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index e15bd3a0f5..d3cd91b93c 100644
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -620,6 +620,14 @@ gnutls_pcert_list_import_x509_raw(gnutls_pcert_st * pcerts,
 				  gnutls_x509_crt_fmt_t format,
 				  unsigned int flags);
 
+int gnutls_pcert_list_import_x509_file(gnutls_pcert_st *pcert_list,
+				       unsigned *pcert_list_size,
+				       const char *file,
+				       gnutls_x509_crt_fmt_t format,
+				       gnutls_pin_callback_t pin_fn,
+				       void *pin_fn_userdata,
+				       unsigned int flags);
+
 int gnutls_pcert_import_x509_raw(gnutls_pcert_st * pcert,
 				 const gnutls_datum_t * cert,
 				 gnutls_x509_crt_fmt_t format,
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 1246a30eb2..fef901a101 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -169,6 +169,14 @@ int gnutls_x509_crt_import_url(gnutls_x509_crt_t crt,
 				      /* GNUTLS_PKCS11_OBJ_FLAG_* */
     );
 
+int
+gnutls_x509_crt_list_import_url(gnutls_x509_crt_t **certs,
+				unsigned int *size,
+				const char *url,
+				gnutls_pin_callback_t pin_fn,
+				void *pin_fn_userdata,
+				unsigned int flags);
+
 int gnutls_x509_crt_export(gnutls_x509_crt_t cert,
 			   gnutls_x509_crt_fmt_t format,
 			   void *output_data, size_t * output_data_size);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 45aa9b9431..17cd8ff2b3 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -1215,6 +1215,8 @@ GNUTLS_3_6_3
 	gnutls_certificate_get_ocsp_expiration;
 	gnutls_record_send2;
 	gnutls_ext_raw_parse;
+	gnutls_x509_crt_list_import_url;
+	gnutls_pcert_list_import_x509_file;
 } GNUTLS_3_6_2;
 
 GNUTLS_FIPS140_3_4 {
diff --git a/lib/pcert.c b/lib/pcert.c
index e88ddc3fba..3476405022 100644
--- a/lib/pcert.c
+++ b/lib/pcert.c
@@ -26,6 +26,7 @@
 #include <x509/common.h>
 #include <x509.h>
 #include "x509/x509_int.h"
+#include <gnutls/x509.h>
 
 /**
  * gnutls_pcert_import_x509:
@@ -84,14 +85,15 @@ int gnutls_pcert_import_x509(gnutls_pcert_st * pcert,
 
 /**
  * gnutls_pcert_import_x509_list:
- * @pcert: The pcert structure
+ * @pcert_list: The structures to store the certificates; must not contain initialized #gnutls_pcert_st structures.
  * @crt: The certificates to be imported
- * @ncrt: The number of certificates
+ * @ncrt: The number of certificates in @crt; will be updated if necessary
  * @flags: zero or %GNUTLS_X509_CRT_LIST_SORT
  *
- * This convenience function will import the given certificate to a
- * #gnutls_pcert_st structure. The structure must be deinitialized
- * afterwards using gnutls_pcert_deinit();
+ * This convenience function will import the given certificates to an
+ * already allocated set of #gnutls_pcert_st structures. The structures must
+ * be deinitialized afterwards using gnutls_pcert_deinit(). @pcert_list
+ * should contain space for at least @ncrt elements.
  *
  * In the case %GNUTLS_X509_CRT_LIST_SORT is specified and that
  * function cannot sort the list, %GNUTLS_E_CERTIFICATE_LIST_UNSORTED
@@ -103,7 +105,7 @@ int gnutls_pcert_import_x509(gnutls_pcert_st * pcert,
  *
  * Since: 3.4.0
  **/
-int gnutls_pcert_import_x509_list(gnutls_pcert_st * pcert,
+int gnutls_pcert_import_x509_list(gnutls_pcert_st * pcert_list,
 				  gnutls_x509_crt_t *crt, unsigned *ncrt,
 				  unsigned int flags)
 {
@@ -132,7 +134,7 @@ int gnutls_pcert_import_x509_list(gnutls_pcert_st * pcert,
 	}
 
 	for (i=0;i<*ncrt;i++) {
-		ret = gnutls_pcert_import_x509(&pcert[i], s[i], 0);
+		ret = gnutls_pcert_import_x509(&pcert_list[i], s[i], 0);
 		if (ret < 0) {
 			current = i;
 			goto cleanup;
@@ -143,7 +145,7 @@ int gnutls_pcert_import_x509_list(gnutls_pcert_st * pcert,
 
  cleanup:
 	for (i=0;i<current;i++) {
-		gnutls_pcert_deinit(&pcert[i]);
+		gnutls_pcert_deinit(&pcert_list[i]);
 	}
 	return ret;
 
@@ -151,27 +153,30 @@ int gnutls_pcert_import_x509_list(gnutls_pcert_st * pcert,
 
 /**
  * gnutls_pcert_list_import_x509_raw:
- * @pcerts: The structures to store the parsed certificate. Must not be initialized.
- * @pcert_max: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
+ * @pcert_list: The structures to store the certificates; must not contain initialized #gnutls_pcert_st structures.
+ * @pcert_list_size: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
  * @data: The certificates.
  * @format: One of DER or PEM.
  * @flags: must be (0) or an OR'd sequence of gnutls_certificate_import_flags.
  *
- * This function will convert the given PEM encoded certificate list
- * to the native gnutls_x509_crt_t format. The output will be stored
- * in @certs.  They will be automatically initialized.
+ * This function will import the provided DER or PEM encoded certificates to an
+ * already allocated set of #gnutls_pcert_st structures. The structures must
+ * be deinitialized afterwards using gnutls_pcert_deinit(). @pcert_list
+ * should contain space for at least @pcert_list_size elements.
  *
  * If the Certificate is PEM encoded it should have a header of "X509
  * CERTIFICATE", or "CERTIFICATE".
  *
- * Returns: the number of certificates read or a negative error value.
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error value; if the @pcert list doesn't have enough space
+ *   %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
  *
  * Since: 3.0
  **/
 int
-gnutls_pcert_list_import_x509_raw(gnutls_pcert_st * pcerts,
-				  unsigned int *pcert_max,
-				  const gnutls_datum_t * data,
+gnutls_pcert_list_import_x509_raw(gnutls_pcert_st *pcert_list,
+				  unsigned int *pcert_list_size,
+				  const gnutls_datum_t *data,
 				  gnutls_x509_crt_fmt_t format,
 				  unsigned int flags)
 {
@@ -179,21 +184,21 @@ gnutls_pcert_list_import_x509_raw(gnutls_pcert_st * pcerts,
 	unsigned int i = 0, j;
 	gnutls_x509_crt_t *crt;
 
-	crt = gnutls_malloc((*pcert_max) * sizeof(gnutls_x509_crt_t));
+	crt = gnutls_malloc((*pcert_list_size) * sizeof(gnutls_x509_crt_t));
 
 	if (crt == NULL)
 		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
 
 	ret =
-	    gnutls_x509_crt_list_import(crt, pcert_max, data, format,
+	    gnutls_x509_crt_list_import(crt, pcert_list_size, data, format,
 					flags);
 	if (ret < 0) {
 		ret = gnutls_assert_val(ret);
 		goto cleanup_crt;
 	}
 
-	for (i = 0; i < *pcert_max; i++) {
-		ret = gnutls_pcert_import_x509(&pcerts[i], crt[i], flags);
+	for (i = 0; i < *pcert_list_size; i++) {
+		ret = gnutls_pcert_import_x509(&pcert_list[i], crt[i], flags);
 		if (ret < 0) {
 			ret = gnutls_assert_val(ret);
 			goto cleanup_pcert;
@@ -205,10 +210,10 @@ gnutls_pcert_list_import_x509_raw(gnutls_pcert_st * pcerts,
 
  cleanup_pcert:
 	for (j = 0; j < i; j++)
-		gnutls_pcert_deinit(&pcerts[j]);
+		gnutls_pcert_deinit(&pcert_list[j]);
 
  cleanup:
-	for (i = 0; i < *pcert_max; i++)
+	for (i = 0; i < *pcert_list_size; i++)
 		gnutls_x509_crt_deinit(crt[i]);
  
  cleanup_crt:
@@ -218,6 +223,89 @@ gnutls_pcert_list_import_x509_raw(gnutls_pcert_st * pcerts,
 }
 
 /**
+ * gnutls_pcert_list_import_x509_url:
+ * @pcert_list: The structures to store the certificates; must not contain initialized #gnutls_pcert_st structures.
+ * @pcert_list_size: Initially must hold the maximum number of certs. It will be updated with the number of certs available.
+ * @file: A file or supported URI with the certificates to load
+ * @format: %GNUTLS_X509_FMT_DER or %GNUTLS_X509_FMT_PEM if a file is given
+ * @pin_fn: a PIN callback if not globally set
+ * @pin_fn_userdata: parameter for the PIN callback
+ * @flags: zero or flags from %gnutls_certificate_import_flags
+ *
+ * This convenience function will import a certificate chain from the given
+ * file or supported URI to #gnutls_pcert_st structures. The structures
+ * must be deinitialized afterwards using gnutls_pcert_deinit().
+ *
+ * This function will always return a sorted certificate chain.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error value; if the @pcert list doesn't have enough space
+ *   %GNUTLS_E_SHORT_MEMORY_BUFFER will be returned.
+ *
+ * Since: 3.6.3
+ **/
+int gnutls_pcert_list_import_x509_file(gnutls_pcert_st *pcert_list,
+				       unsigned *pcert_list_size,
+				       const char *file,
+				       gnutls_x509_crt_fmt_t format,
+				       gnutls_pin_callback_t pin_fn,
+				       void *pin_fn_userdata,
+				       unsigned int flags)
+{
+	int ret, ret2;
+	unsigned i;
+	gnutls_x509_crt_t *crts = NULL;
+	unsigned crts_size = 0;
+	gnutls_datum_t data = {NULL, 0};
+
+	if (gnutls_url_is_supported(file) != 0) {
+		ret = gnutls_x509_crt_list_import_url(&crts, &crts_size, file, pin_fn, pin_fn_userdata, 0);
+		if (ret < 0) {
+			ret2 = gnutls_x509_crt_list_import_url(&crts, &crts_size, file, pin_fn, pin_fn_userdata, GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
+			if (ret2 >= 0) ret = ret2;
+		}
+
+		if (ret < 0) {
+			gnutls_assert();
+			goto cleanup;
+		}
+
+	} else { /* file */
+		ret = gnutls_load_file(file, &data);
+		if (ret < 0)
+			return gnutls_assert_val(ret);
+
+		ret = gnutls_x509_crt_list_import2(&crts, &crts_size, &data, format, flags|GNUTLS_X509_CRT_LIST_SORT);
+		if (ret < 0) {
+			gnutls_assert();
+			goto cleanup;
+		}
+	}
+
+	if (crts_size > *pcert_list_size) {
+		gnutls_assert();
+		ret = GNUTLS_E_SHORT_MEMORY_BUFFER;
+		goto cleanup;
+	}
+
+	ret = gnutls_pcert_import_x509_list(pcert_list, crts, &crts_size, flags);
+	if (ret < 0) {
+		gnutls_assert();
+		goto cleanup;
+	}
+	*pcert_list_size = crts_size;
+
+	ret = 0;
+cleanup:
+	for (i=0;i<crts_size;i++)
+		gnutls_x509_crt_deinit(crts[i]);
+	gnutls_free(crts);
+	gnutls_free(data.data);
+	return ret;
+}
+
+
+/**
  * gnutls_pcert_import_x509_raw:
  * @pcert: The pcert structure
  * @cert: The raw certificate to be imported
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 395a7e59aa..b31c1a0a14 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -39,6 +39,7 @@
 #include "pkcs11x.h"
 #include <p11-kit/pin.h>
 #include <system-keys.h>
+#include "x509/x509_int.h"
 
 #include <atfork.h>
 
@@ -4045,11 +4046,14 @@ int gnutls_pkcs11_get_raw_issuer(const char *url, gnutls_x509_crt_t cert,
 		gnutls_assert();
 		goto cleanup;
 	}
+
+	gnutls_pkcs11_obj_set_pin_function(priv.obj, cert->pin.cb, cert->pin.data);
+
 	priv.need_import = 1;
 
 	ret =
 	    _pkcs11_traverse_tokens(find_cert_cb, &priv, info,
-				    NULL, pkcs11_obj_flags_to_int(flags));
+				    &cert->pin, pkcs11_obj_flags_to_int(flags));
 	if (ret < 0) {
 		gnutls_assert();
 		goto cleanup;
diff --git a/lib/pkcs11_write.c b/lib/pkcs11_write.c
index e55bcbeda4..35207d5543 100644
--- a/lib/pkcs11_write.c
+++ b/lib/pkcs11_write.c
@@ -205,10 +205,12 @@ gnutls_pkcs11_copy_x509_crt2(const char *token_url,
 	a[a_val].value_len = crt->raw_dn.size;
 	a_val++;
 
-	a[a_val].type = CKA_ISSUER;
-	a[a_val].value = crt->raw_issuer_dn.data;
-	a[a_val].value_len = crt->raw_issuer_dn.size;
-	a_val++;
+	if (crt->raw_issuer_dn.size > 0) {
+		a[a_val].type = CKA_ISSUER;
+		a[a_val].value = crt->raw_issuer_dn.data;
+		a[a_val].value_len = crt->raw_issuer_dn.size;
+		a_val++;
+	}
 
 	serial_size = sizeof(serial);
 	if (gnutls_x509_crt_get_serial(crt, serial, &serial_size) >= 0) {
diff --git a/lib/urls.c b/lib/urls.c
index 2861c31d28..69b6cfb2a2 100644
--- a/lib/urls.c
+++ b/lib/urls.c
@@ -148,7 +148,7 @@ int _gnutls_get_raw_issuer(const char *url, gnutls_x509_crt_t cert,
 
 #ifdef ENABLE_PKCS11
 	if (strncmp(url, PKCS11_URL, PKCS11_URL_SIZE) == 0) {
-		return gnutls_pkcs11_get_raw_issuer(url, cert, issuer, GNUTLS_X509_FMT_DER, 0);
+		return gnutls_pkcs11_get_raw_issuer(url, cert, issuer, GNUTLS_X509_FMT_DER, flags);
 	}
 #endif
 	for (i=0;i<_gnutls_custom_urls_size;i++) {
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index 162a49be4e..74040a4e9d 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2003-2016 Free Software Foundation, Inc.
+ * Copyright (C) 2003-2018 Free Software Foundation, Inc.
+ * Copyright (C) 2018 Red Hat, Inc.
  *
  * Authors: Nikos Mavrogiannopoulos, Simon Josefsson, Howard Chu
  *
@@ -4165,7 +4166,7 @@ void gnutls_x509_crt_set_pin_function(gnutls_x509_crt_t crt,
  **/
 int
 gnutls_x509_crt_import_url(gnutls_x509_crt_t crt,
-				  const char *url, unsigned int flags)
+			   const char *url, unsigned int flags)
 {
 	int ret;
 	unsigned i;
@@ -4194,6 +4195,110 @@ gnutls_x509_crt_import_url(gnutls_x509_crt_t crt,
 	return ret;
 }
 
+/**
+ * gnutls_x509_crt_list_import_url:
+ * @certs: Will hold the allocated certificate list.
+ * @size: It will contain the size of the list.
+ * @url: A PKCS 11 url
+ * @pin_fn: a PIN callback if not globally set
+ * @pin_fn_userdata: parameter for the PIN callback
+ * @flags: One of GNUTLS_PKCS11_OBJ_* flags for PKCS#11 URLs or zero otherwise
+ *
+ * This function will import a certificate chain present in a PKCS#11 token
+ * or any type of back-end that supports URLs. The certificates
+ * must be deinitialized afterwards using gnutls_x509_crt_deinit()
+ * and the returned pointer must be freed using gnutls_free().
+ *
+ * The URI provided must be the first certificate in the chain; subsequent
+ * certificates will be retrieved using gnutls_pkcs11_get_raw_issuer() or
+ * equivalent functionality for the supported URI.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ *   negative error value.
+ *
+ * Since: 3.6.3
+ **/
+int
+gnutls_x509_crt_list_import_url(gnutls_x509_crt_t **certs,
+				unsigned int *size,
+				const char *url,
+				gnutls_pin_callback_t pin_fn,
+				void *pin_fn_userdata,
+				unsigned int flags)
+{
+	int ret;
+	unsigned i;
+	gnutls_x509_crt_t crts[DEFAULT_MAX_VERIFY_DEPTH];
+	gnutls_datum_t issuer = {NULL, 0};
+	unsigned total = 0;
+
+	memset(crts, 0, sizeof(crts));
+
+	ret = gnutls_x509_crt_init(&crts[0]);
+	if (ret < 0)
+		return gnutls_assert_val(ret);
+
+	gnutls_x509_crt_set_pin_function(crts[0], pin_fn, pin_fn_userdata);
+
+	total = 1;
+
+	ret = gnutls_x509_crt_import_url(crts[0], url, flags);
+	if (ret < 0) {
+		gnutls_assert();
+		goto cleanup;
+	}
+
+	for (i=1;i<DEFAULT_MAX_VERIFY_DEPTH;i++) {
+		ret = _gnutls_get_raw_issuer(url, crts[i-1], &issuer, flags|GNUTLS_PKCS11_OBJ_FLAG_RETRIEVE_ANY);
+		if (ret < 0) {
+			issuer.data = NULL;
+			break;
+		}
+
+		if (gnutls_x509_crt_equals2(crts[i-1], &issuer)) {
+			gnutls_free(issuer.data);
+			issuer.data = NULL;
+			break;
+		}
+
+		ret = gnutls_x509_crt_init(&crts[i]);
+		if (ret < 0) {
+			gnutls_assert();
+			goto cleanup;
+		}
+
+		total++;
+
+		gnutls_x509_crt_set_pin_function(crts[i], pin_fn, pin_fn_userdata);
+
+		ret = gnutls_x509_crt_import(crts[i], &issuer, GNUTLS_X509_FMT_DER);
+		if (ret < 0) {
+			gnutls_assert();
+			goto cleanup;
+		}
+
+		gnutls_free(issuer.data);
+		issuer.data = NULL;
+	}
+
+	*certs = gnutls_malloc(total*sizeof(gnutls_x509_crt_t));
+	if (*certs == NULL) {
+		ret = GNUTLS_E_MEMORY_ERROR;
+		goto cleanup;
+	}
+
+	memcpy(*certs, crts, total*sizeof(gnutls_x509_crt_t));
+	*size = total;
+
+	return 0;
+ cleanup:
+	gnutls_free(issuer.data);
+	for (i=0;i<total;i++)
+		gnutls_x509_crt_deinit(crts[i]);
+
+	return ret;
+}
+
 /*-
  * gnutls_x509_crt_verify_data3:
  * @crt: Holds the certificate to verify with