diff options
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | lib/auth_x509.c | 49 | ||||
-rw-r--r-- | lib/gnutls.h.in.in | 2 | ||||
-rw-r--r-- | lib/gnutls_algorithms.h | 1 | ||||
-rw-r--r-- | lib/gnutls_ui.c | 12 | ||||
-rw-r--r-- | lib/gnutls_ui.h | 1 | ||||
-rw-r--r-- | src/cli.c | 82 | ||||
-rw-r--r-- | src/common.h | 93 | ||||
-rw-r--r-- | src/serv.c | 100 |
9 files changed, 152 insertions, 191 deletions
@@ -1,6 +1,7 @@ Version ?.?.? - Corrected bug which did not allow a client to accept multiple CA names -- Added gnutls_fingerprint_calc() +- Added gnutls_fingerprint() +- Added gnutls_x509pki_extract_certificate_serial() Version 0.3.1 (21/12/2001) - Corrections in the configuration files diff --git a/lib/auth_x509.c b/lib/auth_x509.c index da5376e0a8..55aeb1d8ef 100644 --- a/lib/auth_x509.c +++ b/lib/auth_x509.c @@ -1355,3 +1355,52 @@ int _gnutls_server_find_x509_cert_list_index(GNUTLS_STATE state, state->gnutls_internals.selected_cert_index = index; return index; } + +/** + * gnutls_x509pki_extract_certificate_serial - This function returns the certificate's serial number + * @cert: is an X.509 DER encoded certificate + * @result: The place where the serial number will be copied + * @result_size: Holds the size of the result field. + * + * This function will return the X.509 certificate's serial number. + * This is obtained by the X509 Certificate serialNumber + * field. Serial is not always a 32 or 64bit number. Some CAs use + * large serial numbers, thus it may be wise to handle it as something + * opaque. + * Returns a negative value in case of an error. + * + **/ +int gnutls_x509pki_extract_certificate_serial(const gnutls_datum * cert, char* result, int* result_size) +{ + node_asn *c2; + int ret; + + if (asn1_create_structure + (_gnutls_get_pkix(), "PKIX1Implicit88.Certificate", &c2, + "certificate2") + != ASN_OK) { + gnutls_assert(); + return GNUTLS_E_ASN1_ERROR; + } + + ret = asn1_get_der(c2, cert->data, cert->size); + if (ret != ASN_OK) { + /* couldn't decode DER */ +#ifdef DEBUG + _gnutls_log("Decoding error %d\n", result); +#endif + gnutls_assert(); + return GNUTLS_E_ASN1_PARSING_ERROR; + } + + if ((ret = asn1_read_value(c2, "certificate2.tbsCertificate.serialNumber", result, result_size)) < 0) { + gnutls_assert(); + asn1_delete_structure(c2); + return GNUTLS_E_INVALID_REQUEST; + } + + asn1_delete_structure(c2); + + return 0; + +} diff --git a/lib/gnutls.h.in.in b/lib/gnutls.h.in.in index 30777d97fe..1dafb8b0d9 100644 --- a/lib/gnutls.h.in.in +++ b/lib/gnutls.h.in.in @@ -251,4 +251,4 @@ void gnutls_transport_set_pull_func( GNUTLS_STATE, GNUTLS_PULL_FUNC pull_func); size_t gnutls_record_get_max_size( GNUTLS_STATE state); size_t gnutls_record_set_max_size( GNUTLS_STATE state, size_t size); -int gnutls_fingerprint_calc(GNUTLS_DigestAlgorithm algo, gnutls_datum data, char* result, int* result_size); +int gnutls_fingerprint(GNUTLS_DigestAlgorithm algo, const gnutls_datum* data, char* result, int* result_size); diff --git a/lib/gnutls_algorithms.h b/lib/gnutls_algorithms.h index e7c643b247..7c9a0e8d07 100644 --- a/lib/gnutls_algorithms.h +++ b/lib/gnutls_algorithms.h @@ -38,7 +38,6 @@ int _gnutls_mac_priority(GNUTLS_STATE state, MACAlgorithm algorithm); int _gnutls_mac_count(); /* functions for cipher suites */ -int _gnutls_cipher_suite_is_ok(GNUTLS_CipherSuite algorithm); int _gnutls_supported_ciphersuites(GNUTLS_STATE state, GNUTLS_CipherSuite **ciphers); int _gnutls_supported_ciphersuites_sorted(GNUTLS_STATE state, GNUTLS_CipherSuite **ciphers); int _gnutls_supported_compression_methods(GNUTLS_STATE state, uint8 **comp); diff --git a/lib/gnutls_ui.c b/lib/gnutls_ui.c index 059e608823..3a7bc7ce68 100644 --- a/lib/gnutls_ui.c +++ b/lib/gnutls_ui.c @@ -172,20 +172,20 @@ int gnutls_x509pki_get_certificate_request_status(GNUTLS_STATE state) /** - * gnutls_fingerprint_calc - This function calculates the fingerprint of the given data + * gnutls_fingerprint - This function calculates the fingerprint of the given data * @algo: is a digest algorithm * @data: is the data * @result: is the place where the result will be copied. * @result_size: should hold the size of the result. The actual size * of the returned result will also be copied there. * - * This function will calculate a fingerprint (actually hash), of the - * given data. The result is not printable data. You should convert - * it to hex, or something else printable. + * This function will calculate a fingerprint (actually a hash), of the + * given data. The result is not printable data. You should convert it + * to hex, or to something else printable. * Returns a negative value in case of an error. * **/ -int gnutls_fingerprint_calc(DigestAlgorithm algo, gnutls_datum data, char* result, int* result_size) +int gnutls_fingerprint(DigestAlgorithm algo, const gnutls_datum* data, char* result, int* result_size) { GNUTLS_HASH_HANDLE td; int hash_len = gnutls_hash_get_algo_len(algo); @@ -199,7 +199,7 @@ int gnutls_fingerprint_calc(DigestAlgorithm algo, gnutls_datum data, char* resul td = gnutls_hash_init( algo); if (td==NULL) return GNUTLS_E_HASH_FAILED; - gnutls_hash( td, data.data, data.size); + gnutls_hash( td, data->data, data->size); gnutls_hash_deinit( td, result); diff --git a/lib/gnutls_ui.h b/lib/gnutls_ui.h index 9f3af78108..1dd4dc1ea0 100644 --- a/lib/gnutls_ui.h +++ b/lib/gnutls_ui.h @@ -69,6 +69,7 @@ int gnutls_x509pki_extract_dn( const gnutls_datum*, gnutls_DN*); int gnutls_x509pki_extract_certificate_dn( const gnutls_datum*, gnutls_DN*); int gnutls_x509pki_extract_certificate_issuer_dn( const gnutls_datum*, gnutls_DN *); int gnutls_x509pki_extract_certificate_version( const gnutls_datum*); +int gnutls_x509pki_extract_certificate_serial(const gnutls_datum * cert, char* result, int* result_size); time_t gnutls_x509pki_extract_certificate_activation_time( const gnutls_datum*); time_t gnutls_x509pki_extract_certificate_expiration_time( const gnutls_datum*); int gnutls_x509pki_extract_subject_dns_name( const gnutls_datum*, char*, int*); @@ -53,88 +53,6 @@ #define CLIKEYFILE "x509/clikey.pem" #define CLICERTFILE "x509/clicert.pem" -static int print_info( GNUTLS_STATE state) { -const char *tmp; -CredType cred; -gnutls_DN dn; -const gnutls_datum* cert_list; -CertificateStatus status; -int cert_list_size = 0; - - tmp = gnutls_kx_get_name(gnutls_kx_get_algo( state)); - printf("- Key Exchange: %s\n", tmp); - - cred = gnutls_auth_get_type(state); - switch(cred) { - case GNUTLS_ANON: - printf("- Anonymous DH using prime of %d bits\n", - gnutls_anon_client_get_dh_bits( state)); - break; - case GNUTLS_X509PKI: - cert_list = gnutls_x509pki_client_get_peer_certificate_list( state, &cert_list_size); - status = gnutls_x509pki_client_get_peer_certificate_status( state); - - switch( status) { - case GNUTLS_CERT_NOT_TRUSTED: - printf("- Peer's X509 Certificate was NOT verified\n"); - break; - case GNUTLS_CERT_EXPIRED: - printf("- Peer's X509 Certificate was verified but is expired\n"); - break; - case GNUTLS_CERT_TRUSTED: - printf("- Peer's X509 Certificate was verified\n"); - break; - case GNUTLS_CERT_NONE: - printf("- Peer did not send any X509 Certificate.\n"); - break; - case GNUTLS_CERT_INVALID: - printf("- Peer's X509 Certificate was invalid\n"); - break; - } - - if (cert_list_size > 0) { - char digest[20]; - int digest_size = sizeof(digest), i; - char printable[120]; - char* print; - - printf(" - Certificate info:\n"); - - if ( gnutls_fingerprint_calc( GNUTLS_DIG_MD5, cert_list[0], digest, &digest_size) >= 0) { - print = printable; - for (i=0;i<digest_size;i++) { - sprintf( print, "%.2x ", (unsigned char)digest[i]); - print += 3; - } - printf(" - Certificate fingerprint: %s\n", printable); - } - - printf(" - Certificate version: #%d\n", gnutls_x509pki_extract_certificate_version( &cert_list[0])); - - gnutls_x509pki_extract_certificate_dn( &cert_list[0], &dn); - PRINT_DN( dn); - - gnutls_x509pki_extract_certificate_issuer_dn( &cert_list[0], &dn); - printf(" - Certificate Issuer's info:\n"); - PRINT_DN( dn); - } - } - - tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(state)); - printf("- Version: %s\n", tmp); - - tmp = gnutls_compression_get_name(gnutls_compression_get_algo( state)); - printf("- Compression: %s\n", tmp); - - tmp = gnutls_cipher_get_name(gnutls_cipher_get_algo( state)); - printf("- Cipher: %s\n", tmp); - - tmp = gnutls_mac_get_name(gnutls_mac_get_algo( state)); - printf("- MAC: %s\n", tmp); - - return 0; -} - static int cert_callback( GNUTLS_STATE state, const gnutls_datum *client_certs, int ncerts, const gnutls_datum* req_ca_cert, int nreqs) { if (client_certs==NULL) { diff --git a/src/common.h b/src/common.h index 7a0dc0963d..cc616c2494 100644 --- a/src/common.h +++ b/src/common.h @@ -9,3 +9,96 @@ PRINTX( "S:", X.state_or_province_name); \ PRINTX( "C:", X.country); \ PRINTX( "E:", X.email) + +static int print_info( GNUTLS_STATE state) { +const char *tmp; +CredType cred; +gnutls_DN dn; +const gnutls_datum* cert_list; +CertificateStatus status; +int cert_list_size = 0; + + tmp = gnutls_kx_get_name(gnutls_kx_get_algo( state)); + printf("- Key Exchange: %s\n", tmp); + + cred = gnutls_auth_get_type(state); + switch(cred) { + case GNUTLS_ANON: + printf("- Anonymous DH using prime of %d bits\n", + gnutls_anon_client_get_dh_bits( state)); + break; + case GNUTLS_X509PKI: + cert_list = gnutls_x509pki_client_get_peer_certificate_list( state, &cert_list_size); + status = gnutls_x509pki_client_get_peer_certificate_status( state); + + switch( status) { + case GNUTLS_CERT_NOT_TRUSTED: + printf("- Peer's X509 Certificate was NOT verified\n"); + break; + case GNUTLS_CERT_EXPIRED: + printf("- Peer's X509 Certificate was verified but is expired\n"); + break; + case GNUTLS_CERT_TRUSTED: + printf("- Peer's X509 Certificate was verified\n"); + break; + case GNUTLS_CERT_NONE: + printf("- Peer did not send any X509 Certificate.\n"); + break; + case GNUTLS_CERT_INVALID: + printf("- Peer's X509 Certificate was invalid\n"); + break; + } + + if (cert_list_size > 0) { + char digest[20]; + char serial[40]; + int digest_size = sizeof(digest), i; + int serial_size = sizeof(serial); + char printable[120]; + char* print; + + printf(" - Certificate info:\n"); + + if ( gnutls_fingerprint( GNUTLS_DIG_MD5, &cert_list[0], digest, &digest_size) >= 0) { + print = printable; + for (i=0;i<digest_size;i++) { + sprintf( print, "%.2x ", (unsigned char)digest[i]); + print += 3; + } + printf(" - Certificate fingerprint: %s\n", printable); + } + + if ( gnutls_x509pki_extract_certificate_serial( &cert_list[0], serial, &serial_size) >= 0) { + print = printable; + for (i=0;i<serial_size;i++) { + sprintf( print, "%.2x ", (unsigned char)serial[i]); + print += 3; + } + printf(" - Certificate serial number: %s\n", printable); + } + + printf(" - Certificate version: #%d\n", gnutls_x509pki_extract_certificate_version( &cert_list[0])); + + gnutls_x509pki_extract_certificate_dn( &cert_list[0], &dn); + PRINT_DN( dn); + + gnutls_x509pki_extract_certificate_issuer_dn( &cert_list[0], &dn); + printf(" - Certificate Issuer's info:\n"); + PRINT_DN( dn); + } + } + + tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(state)); + printf("- Version: %s\n", tmp); + + tmp = gnutls_compression_get_name(gnutls_compression_get_algo( state)); + printf("- Compression: %s\n", tmp); + + tmp = gnutls_cipher_get_name(gnutls_cipher_get_algo( state)); + printf("- Cipher: %s\n", tmp); + + tmp = gnutls_mac_get_name(gnutls_mac_get_algo( state)); + printf("- MAC: %s\n", tmp); + + return 0; +} diff --git a/src/serv.c b/src/serv.c index 94c4f82840..0a8aa1a675 100644 --- a/src/serv.c +++ b/src/serv.c @@ -105,106 +105,6 @@ GNUTLS_STATE initialize_state() return state; } - -void print_info(GNUTLS_STATE state) -{ - const char *tmp; - const gnutls_datum * cert_list; - unsigned char sesid[32]; - int sesid_size, i; - gnutls_DN dn; - CredType cred; - CertificateStatus status; - int cert_list_size = 0; - - /* print session_id specific data */ - gnutls_session_get_id( state, sesid, &sesid_size); - printf("\n- Session ID: "); - for(i=0;i<sesid_size;i++) - printf("%.2X", sesid[i]); - printf("\n"); - - /* we could also use the KX algorithm to distinguish the functions - * to call, but this is easier. - */ - cred = gnutls_auth_get_type(state); - - switch(cred) { - case GNUTLS_SRP: - /* print srp specific data */ - printf("\n- User '%s' connected\n", - gnutls_srp_server_get_username( state)); - break; - case GNUTLS_ANON: - printf("\n- Anonymous DH using prime of %d bits\n", - gnutls_anon_server_get_dh_bits( state)); - break; - - case GNUTLS_X509PKI: - cert_list = gnutls_x509pki_server_get_peer_certificate_list( state, &cert_list_size); - status = gnutls_x509pki_server_get_peer_certificate_status( state); - - switch( status) { - case GNUTLS_CERT_NOT_TRUSTED: - printf("- Peer's X509 Certificate was NOT verified\n"); - break; - case GNUTLS_CERT_EXPIRED: - printf("- Peer's X509 Certificate was verified but is expired\n"); - break; - case GNUTLS_CERT_TRUSTED: - printf("- Peer's X509 Certificate was verified\n"); - break; - case GNUTLS_CERT_NONE: - printf("- Peer did not send any certificate.\n"); - break; - case GNUTLS_CERT_INVALID: - printf("- Peer's X509 Certificate was invalid\n"); - break; - } - - if (gnutls_kx_get_algo(state) == GNUTLS_KX_X509PKI_DHE_RSA || gnutls_kx_get_algo(state) == GNUTLS_KX_X509PKI_DHE_DSS) { - printf("\n- Ephemeral DH using prime of %d bits\n", - gnutls_x509pki_server_get_dh_bits( state)); - } - - if (cert_list_size > 0) { - printf(" - Certificate info:\n"); - printf(" - Certificate version: #%d\n", gnutls_x509pki_extract_certificate_version( &cert_list[0])); - - if ( gnutls_x509pki_extract_certificate_dn( &cert_list[0], &dn) >= 0) { - PRINT_DN( dn); - } - - if (gnutls_x509pki_extract_certificate_issuer_dn( &cert_list[0], &dn) >= 0) { - printf(" - Certificate Issuer's info:\n"); - PRINT_DN( dn); - } - } - } - - - /* print state information */ - - tmp = gnutls_protocol_get_name( gnutls_protocol_get_version(state)); - printf("- Version: %s\n", tmp); - - tmp = gnutls_kx_get_name(gnutls_kx_get_algo(state)); - printf("- Key Exchange: %s\n", tmp); - - tmp = - gnutls_compression_get_name - (gnutls_compression_get_algo(state)); - printf("- Compression: %s\n", tmp); - - tmp = gnutls_cipher_get_name(gnutls_cipher_get_algo(state)); - printf("- Cipher: %s\n", tmp); - - tmp = gnutls_mac_get_name(gnutls_mac_get_algo(state)); - printf("- MAC: %s\n", tmp); - - -} - /* Creates html with the current state information. */ #define tmp2 &http_buffer[strlen(http_buffer)] |