[exim.git] / src / src / tlscert-gnu.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* Copyright (c) Jeremy Harris 2014 - 2018 */

/* This file provides TLS/SSL support for Exim using the GnuTLS library,
one of the available supported implementations.  This file is #included into
tls.c when USE_GNUTLS has been set.
*/

#include <gnutls/gnutls.h>
/* needed for cert checks in verification and DN extraction: */
#include <gnutls/x509.h>
/* needed to disable PKCS11 autoload unless requested */
#if GNUTLS_VERSION_NUMBER >= 0x020c00
# include <gnutls/pkcs11.h>
#endif


/*****************************************************
*  Export/import a certificate, binary/printable
******************************************************
Return: boolean success
*/

BOOL
tls_export_cert(uschar * buf, size_t buflen, void * cert)
{
size_t sz = buflen;
rmark reset_point = store_mark();
BOOL fail;
const uschar * cp;

if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
    GNUTLS_X509_FMT_PEM, buf, &sz)))
  {
  log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
    gnutls_strerror(fail));
  return FALSE;
  }
if ((cp = string_printing(buf)) != buf)
  {
  Ustrncpy(buf, cp, buflen);
  if (buf[buflen-1])
    fail = 1;
  }
store_reset(reset_point);
return !fail;
}

/* On error, NULL out the destination */
BOOL
tls_import_cert(const uschar * buf, void ** cert)
{
rmark reset_point = store_mark();
gnutls_datum_t datum;
gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
int rc;

if (crt)
  gnutls_x509_crt_deinit(crt);
else
  gnutls_global_init();

gnutls_x509_crt_init(&crt);

datum.data = string_unprinting(US buf);
datum.size = Ustrlen(datum.data);
if ((rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
  {
  log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
    gnutls_strerror(rc));
  crt = NULL;
  }
*cert = (void *)crt;
store_reset(reset_point);
return rc != 0;
}

void
tls_free_cert(void ** cert)
{
gnutls_x509_crt_t crt = *(gnutls_x509_crt_t *)cert;
if (crt)
  {
  gnutls_x509_crt_deinit(crt);
  gnutls_global_deinit();
  *cert = NULL;
  }
}

/*****************************************************
*  Certificate field extraction routines
*****************************************************/

/* First, some internal service functions */

static uschar *
g_err(const char * tag, const char * from, int gnutls_err)
{
expand_string_message = string_sprintf("%s: %s fail: %s\n",
  from, tag, gnutls_strerror(gnutls_err));
return NULL;
}


static uschar *
time_copy(time_t t, uschar * mod)
{
uschar * cp;
size_t len = 32;

if (mod && Ustrcmp(mod, "int") == 0)
  return string_sprintf("%u", (unsigned)t);

cp = store_get(len, FALSE);
if (f.timestamps_utc)
  {
  uschar * tz = to_tz(US"GMT0");
  len = strftime(CS cp, len, "%b %e %T %Y %Z", gmtime(&t));
  restore_tz(tz);
  }
else
  len = strftime(CS cp, len, "%b %e %T %Y %Z", localtime(&t));
return len > 0 ? cp : NULL;
}


/**/
/* Now the extractors, called from expand.c
Arguments:
  cert		The certificate
  mod		Optional modifiers for the operator

Return:
  Allocated string with extracted value
*/

uschar *
tls_cert_issuer(void * cert, uschar * mod)
{
uschar * cp = NULL;
int ret;
size_t siz = 0;

if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz))
    != GNUTLS_E_SHORT_MEMORY_BUFFER)
  return g_err("gi0", __FUNCTION__, ret);

cp = store_get(siz, TRUE);
if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz)) < 0)
  return g_err("gi1", __FUNCTION__, ret);

return mod ? tls_field_from_dn(cp, mod) : cp;
}

uschar *
tls_cert_not_after(void * cert, uschar * mod)
{
return time_copy(
  gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert),
  mod);
}

uschar *
tls_cert_not_before(void * cert, uschar * mod)
{
return time_copy(
  gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert),
  mod);
}

uschar *
tls_cert_serial_number(void * cert, uschar * mod)
{
uschar bin[50], txt[150];
uschar * sp = bin;
size_t sz = sizeof(bin);
int ret;

if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
    bin, &sz)))
  return g_err("gs0", __FUNCTION__, ret);

for(uschar * dp = txt; sz; sz--)
  dp += sprintf(CS dp, "%.2x", *sp++);
for(sp = txt; sp[0]=='0' && sp[1]; ) sp++;	/* leading zeroes */
return string_copy(sp);
}

uschar *
tls_cert_signature(void * cert, uschar * mod)
{
uschar * cp1 = NULL;
uschar * cp2;
uschar * cp3;
size_t len = 0;
int ret;

if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len))
    != GNUTLS_E_SHORT_MEMORY_BUFFER)
  return g_err("gs0", __FUNCTION__, ret);

cp1 = store_get(len*4+1, TRUE);
if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len) != 0)
  return g_err("gs1", __FUNCTION__, ret);

for(cp3 = cp2 = cp1+len; cp1 < cp2; cp1++)
  cp3 += sprintf(CS cp3, "%.2x ", *cp1);
cp3[-1]= '\0';

return cp2;
}

uschar *
tls_cert_signature_algorithm(void * cert, uschar * mod)
{
gnutls_sign_algorithm_t algo =
  gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
return algo < 0 ? NULL : string_copy(US gnutls_sign_get_name(algo));
}

uschar *
tls_cert_subject(void * cert, uschar * mod)
{
uschar * cp = NULL;
int ret;
size_t siz = 0;

if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz))
    != GNUTLS_E_SHORT_MEMORY_BUFFER)
  return g_err("gs0", __FUNCTION__, ret);

cp = store_get(siz, TRUE);
if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz)) < 0)
  return g_err("gs1", __FUNCTION__, ret);

return mod ? tls_field_from_dn(cp, mod) : cp;
}

uschar *
tls_cert_version(void * cert, uschar * mod)
{
return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
}

uschar *
tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
{
uschar * cp1 = NULL;
uschar * cp2;
uschar * cp3;
size_t siz = 0;
unsigned int crit;
int ret;

ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
  CS oid, idx, CS cp1, &siz, &crit);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
  return g_err("ge0", __FUNCTION__, ret);

cp1 = store_get(siz*4 + 1, TRUE);

ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
  CS oid, idx, CS cp1, &siz, &crit);
if (ret < 0)
  return g_err("ge1", __FUNCTION__, ret);

/* binary data, DER encoded */

/* just dump for now */
for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp1++)
  cp3 += sprintf(CS cp3, "%.2x ", *cp1);
cp3[-1]= '\0';

return cp2;
}

uschar *
tls_cert_subject_altname(void * cert, uschar * mod)
{
gstring * list = NULL;
size_t siz;
int ret;
uschar sep = '\n';
uschar * tag = US"";
uschar * ele;
int match = -1;

while (mod)
  {
  if (*mod == '>' && *++mod) sep = *mod++;
  else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
  else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
  else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
  else continue;

  if (*mod++ != ',')
    break;
  }

for (int index = 0;; index++)
  {
  siz = 0;
  switch(ret = gnutls_x509_crt_get_subject_alt_name(
      (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
    {
    case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
      return string_from_gstring(list);	/* no more elements; normal exit */

    case GNUTLS_E_SHORT_MEMORY_BUFFER:
      break;

    default:
      return g_err("gs0", __FUNCTION__, ret);
    }

  ele = store_get(siz+1, TRUE);
  if ((ret = gnutls_x509_crt_get_subject_alt_name(
    (gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
    return g_err("gs1", __FUNCTION__, ret);
  ele[siz] = '\0';

  if (  match != -1 && match != ret	/* wrong type of SAN */
     || Ustrlen(ele) != siz)		/* contains a NUL */
    continue;
  switch (ret)
    {
    case GNUTLS_SAN_DNSNAME:    tag = US"DNS";  break;
    case GNUTLS_SAN_URI:        tag = US"URI";  break;
    case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break;
    default: continue;        /* ignore unrecognised types */
    }
  list = string_append_listele(list, sep,
          match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
  }
/*NOTREACHED*/
}

uschar *
tls_cert_ocsp_uri(void * cert, uschar * mod)
{
#if GNUTLS_VERSION_NUMBER >= 0x030000
gnutls_datum_t uri;
int ret;
uschar sep = '\n';
gstring * list = NULL;

if (mod)
  if (*mod == '>' && *++mod) sep = *mod++;

for (int index = 0;; index++)
  {
  ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
	  index, GNUTLS_IA_OCSP_URI, &uri, NULL);

  if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
    return string_from_gstring(list);
  if (ret < 0)
    return g_err("gai", __FUNCTION__, ret);

  list = string_append_listele_n(list, sep, uri.data, uri.size);
  }
/*NOTREACHED*/

#else

expand_string_message =
  string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
    __FUNCTION__);
return NULL;

#endif
}

uschar *
tls_cert_crl_uri(void * cert, uschar * mod)
{
int ret;
uschar sep = '\n';
gstring * list = NULL;
uschar * ele;

if (mod)
  if (*mod == '>' && *++mod) sep = *mod++;

for (int index = 0;; index++)
  {
  size_t siz = 0;
  switch(ret = gnutls_x509_crt_get_crl_dist_points(
    (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL))
    {
    case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
      return string_from_gstring(list);
    case GNUTLS_E_SHORT_MEMORY_BUFFER:
      break;
    default:
      return g_err("gc0", __FUNCTION__, ret);
    }

  ele = store_get(siz, TRUE);
  if ((ret = gnutls_x509_crt_get_crl_dist_points(
      (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
    return g_err("gc1", __FUNCTION__, ret);

  list = string_append_listele_n(list, sep, ele, siz);
  }
/*NOTREACHED*/
}


/*****************************************************
*  Certificate operator routines
*****************************************************/
uschar *
tls_cert_der_b64(void * cert)
{
size_t len = 0;
uschar * cp = NULL;
int fail;

if (  (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
	GNUTLS_X509_FMT_DER, cp, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER
   || !(cp = store_get((int)len, TRUE), TRUE)	/* tainted */
   || (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
        GNUTLS_X509_FMT_DER, cp, &len))
   )
  {
  log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
    gnutls_strerror(fail));
  return NULL;
  }
return b64encode(CUS cp, (int)len);
}


static uschar *
fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo)
{
int ret;
size_t siz = 0;
uschar * cp;
uschar * cp2;

if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz))
    != GNUTLS_E_SHORT_MEMORY_BUFFER)
  return g_err("gf0", __FUNCTION__, ret);

cp = store_get(siz*3+1, TRUE);
if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
  return g_err("gf1", __FUNCTION__, ret);

for (uschar * cp3 = cp2 = cp+siz; cp < cp2; cp++)
  cp3 += sprintf(CS cp3, "%02X", *cp);
return cp2;
}


uschar *
tls_cert_fprt_md5(void * cert)
{
return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5);
}

uschar *
tls_cert_fprt_sha1(void * cert)
{
return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
}

uschar *
tls_cert_fprt_sha256(void * cert)
{
return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
}


/* vi: aw ai sw=2
*/
/* End of tlscert-gnu.c */
Commit	Line	Data
	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
	5	/* Copyright (c) Jeremy Harris 2014 - 2018 */
	6
	7	/* This file provides TLS/SSL support for Exim using the GnuTLS library,
	8	one of the available supported implementations. This file is #included into
	9	tls.c when USE_GNUTLS has been set.
	10	*/
	11
	12	#include <gnutls/gnutls.h>
	13	/* needed for cert checks in verification and DN extraction: */
	14	#include <gnutls/x509.h>
	15	/* needed to disable PKCS11 autoload unless requested */
	16	#if GNUTLS_VERSION_NUMBER >= 0x020c00
	17	# include <gnutls/pkcs11.h>
	18	#endif
	19
	20
	21	/*****************************************************
	22	* Export/import a certificate, binary/printable
	23	******************************************************
	24	Return: boolean success
	25	*/
	26
	27	BOOL
	28	tls_export_cert(uschar * buf, size_t buflen, void * cert)
	29	{
	30	size_t sz = buflen;
	31	rmark reset_point = store_mark();
	32	BOOL fail;
	33	const uschar * cp;
	34
	35	if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
	36	GNUTLS_X509_FMT_PEM, buf, &sz)))
	37	{
	38	log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
	39	gnutls_strerror(fail));
	40	return FALSE;
	41	}
	42	if ((cp = string_printing(buf)) != buf)
	43	{
	44	Ustrncpy(buf, cp, buflen);
	45	if (buf[buflen-1])
	46	fail = 1;
	47	}
	48	store_reset(reset_point);
	49	return !fail;
	50	}
	51
	52	/* On error, NULL out the destination */
	53	BOOL
	54	tls_import_cert(const uschar * buf, void ** cert)
	55	{
	56	rmark reset_point = store_mark();
	57	gnutls_datum_t datum;
	58	gnutls_x509_crt_t crt = (gnutls_x509_crt_t )cert;
	59	int rc;
	60
	61	if (crt)
	62	gnutls_x509_crt_deinit(crt);
	63	else
	64	gnutls_global_init();
	65
	66	gnutls_x509_crt_init(&crt);
	67
	68	datum.data = string_unprinting(US buf);
	69	datum.size = Ustrlen(datum.data);
	70	if ((rc = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
	71	{
	72	log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
	73	gnutls_strerror(rc));
	74	crt = NULL;
	75	}
	76	cert = (void )crt;
	77	store_reset(reset_point);
	78	return rc != 0;
	79	}
	80
	81	void
	82	tls_free_cert(void ** cert)
	83	{
	84	gnutls_x509_crt_t crt = (gnutls_x509_crt_t )cert;
	85	if (crt)
	86	{
	87	gnutls_x509_crt_deinit(crt);
	88	gnutls_global_deinit();
	89	*cert = NULL;
	90	}
	91	}
	92
	93	/*****************************************************
	94	* Certificate field extraction routines
	95	*****************************************************/
	96
	97	/* First, some internal service functions */
	98
	99	static uschar *
	100	g_err(const char * tag, const char * from, int gnutls_err)
	101	{
	102	expand_string_message = string_sprintf("%s: %s fail: %s\n",
	103	from, tag, gnutls_strerror(gnutls_err));
	104	return NULL;
	105	}
	106
	107
	108	static uschar *
	109	time_copy(time_t t, uschar * mod)
	110	{
	111	uschar * cp;
	112	size_t len = 32;
	113
	114	if (mod && Ustrcmp(mod, "int") == 0)
	115	return string_sprintf("%u", (unsigned)t);
	116
	117	cp = store_get(len, FALSE);
	118	if (f.timestamps_utc)
	119	{
	120	uschar * tz = to_tz(US"GMT0");
	121	len = strftime(CS cp, len, "%b %e %T %Y %Z", gmtime(&t));
	122	restore_tz(tz);
	123	}
	124	else
	125	len = strftime(CS cp, len, "%b %e %T %Y %Z", localtime(&t));
	126	return len > 0 ? cp : NULL;
	127	}
	128
	129
	130	/**/
	131	/* Now the extractors, called from expand.c
	132	Arguments:
	133	cert The certificate
	134	mod Optional modifiers for the operator
	135
	136	Return:
	137	Allocated string with extracted value
	138	*/
	139
	140	uschar *
	141	tls_cert_issuer(void * cert, uschar * mod)
	142	{
	143	uschar * cp = NULL;
	144	int ret;
	145	size_t siz = 0;
	146
	147	if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz))
	148	!= GNUTLS_E_SHORT_MEMORY_BUFFER)
	149	return g_err("gi0", __FUNCTION__, ret);
	150
	151	cp = store_get(siz, TRUE);
	152	if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz)) < 0)
	153	return g_err("gi1", __FUNCTION__, ret);
	154
	155	return mod ? tls_field_from_dn(cp, mod) : cp;
	156	}
	157
	158	uschar *
	159	tls_cert_not_after(void * cert, uschar * mod)
	160	{
	161	return time_copy(
	162	gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert),
	163	mod);
	164	}
	165
	166	uschar *
	167	tls_cert_not_before(void * cert, uschar * mod)
	168	{
	169	return time_copy(
	170	gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert),
	171	mod);
	172	}
	173
	174	uschar *
	175	tls_cert_serial_number(void * cert, uschar * mod)
	176	{
	177	uschar bin[50], txt[150];
	178	uschar * sp = bin;
	179	size_t sz = sizeof(bin);
	180	int ret;
	181
	182	if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
	183	bin, &sz)))
	184	return g_err("gs0", __FUNCTION__, ret);
	185
	186	for(uschar * dp = txt; sz; sz--)
	187	dp += sprintf(CS dp, "%.2x", *sp++);
	188	for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */
	189	return string_copy(sp);
	190	}
	191
	192	uschar *
	193	tls_cert_signature(void * cert, uschar * mod)
	194	{
	195	uschar * cp1 = NULL;
	196	uschar * cp2;
	197	uschar * cp3;
	198	size_t len = 0;
	199	int ret;
	200
	201	if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len))
	202	!= GNUTLS_E_SHORT_MEMORY_BUFFER)
	203	return g_err("gs0", __FUNCTION__, ret);
	204
	205	cp1 = store_get(len*4+1, TRUE);
	206	if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len) != 0)
	207	return g_err("gs1", __FUNCTION__, ret);
	208
	209	for(cp3 = cp2 = cp1+len; cp1 < cp2; cp1++)
	210	cp3 += sprintf(CS cp3, "%.2x ", *cp1);
	211	cp3[-1]= '\0';
	212
	213	return cp2;
	214	}
	215
	216	uschar *
	217	tls_cert_signature_algorithm(void * cert, uschar * mod)
	218	{
	219	gnutls_sign_algorithm_t algo =
	220	gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
	221	return algo < 0 ? NULL : string_copy(US gnutls_sign_get_name(algo));
	222	}
	223
	224	uschar *
	225	tls_cert_subject(void * cert, uschar * mod)
	226	{
	227	uschar * cp = NULL;
	228	int ret;
	229	size_t siz = 0;
	230
	231	if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz))
	232	!= GNUTLS_E_SHORT_MEMORY_BUFFER)
	233	return g_err("gs0", __FUNCTION__, ret);
	234
	235	cp = store_get(siz, TRUE);
	236	if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz)) < 0)
	237	return g_err("gs1", __FUNCTION__, ret);
	238
	239	return mod ? tls_field_from_dn(cp, mod) : cp;
	240	}
	241
	242	uschar *
	243	tls_cert_version(void * cert, uschar * mod)
	244	{
	245	return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
	246	}
	247
	248	uschar *
	249	tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
	250	{
	251	uschar * cp1 = NULL;
	252	uschar * cp2;
	253	uschar * cp3;
	254	size_t siz = 0;
	255	unsigned int crit;
	256	int ret;
	257
	258	ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
	259	CS oid, idx, CS cp1, &siz, &crit);
	260	if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
	261	return g_err("ge0", __FUNCTION__, ret);
	262
	263	cp1 = store_get(siz*4 + 1, TRUE);
	264
	265	ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
	266	CS oid, idx, CS cp1, &siz, &crit);
	267	if (ret < 0)
	268	return g_err("ge1", __FUNCTION__, ret);
	269
	270	/* binary data, DER encoded */
	271
	272	/* just dump for now */
	273	for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp1++)
	274	cp3 += sprintf(CS cp3, "%.2x ", *cp1);
	275	cp3[-1]= '\0';
	276
	277	return cp2;
	278	}
	279
	280	uschar *
	281	tls_cert_subject_altname(void * cert, uschar * mod)
	282	{
	283	gstring * list = NULL;
	284	size_t siz;
	285	int ret;
	286	uschar sep = '\n';
	287	uschar * tag = US"";
	288	uschar * ele;
	289	int match = -1;
	290
	291	while (mod)
	292	{
	293	if (mod == '>' && ++mod) sep = *mod++;
	294	else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
	295	else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
	296	else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
	297	else continue;
	298
	299	if (*mod++ != ',')
	300	break;
	301	}
	302
	303	for (int index = 0;; index++)
	304	{
	305	siz = 0;
	306	switch(ret = gnutls_x509_crt_get_subject_alt_name(
	307	(gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
	308	{
	309	case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
	310	return string_from_gstring(list); /* no more elements; normal exit */
	311
	312	case GNUTLS_E_SHORT_MEMORY_BUFFER:
	313	break;
	314
	315	default:
	316	return g_err("gs0", __FUNCTION__, ret);
	317	}
	318
	319	ele = store_get(siz+1, TRUE);
	320	if ((ret = gnutls_x509_crt_get_subject_alt_name(
	321	(gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
	322	return g_err("gs1", __FUNCTION__, ret);
	323	ele[siz] = '\0';
	324
	325	if ( match != -1 && match != ret /* wrong type of SAN */
	326	\|\| Ustrlen(ele) != siz) /* contains a NUL */
	327	continue;
	328	switch (ret)
	329	{
	330	case GNUTLS_SAN_DNSNAME: tag = US"DNS"; break;
	331	case GNUTLS_SAN_URI: tag = US"URI"; break;
	332	case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break;
	333	default: continue; /* ignore unrecognised types */
	334	}
	335	list = string_append_listele(list, sep,
	336	match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
	337	}
	338	/NOTREACHED/
	339	}
	340
	341	uschar *
	342	tls_cert_ocsp_uri(void * cert, uschar * mod)
	343	{
	344	#if GNUTLS_VERSION_NUMBER >= 0x030000
	345	gnutls_datum_t uri;
	346	int ret;
	347	uschar sep = '\n';
	348	gstring * list = NULL;
	349
	350	if (mod)
	351	if (mod == '>' && ++mod) sep = *mod++;
	352
	353	for (int index = 0;; index++)
	354	{
	355	ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
	356	index, GNUTLS_IA_OCSP_URI, &uri, NULL);
	357
	358	if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
	359	return string_from_gstring(list);
	360	if (ret < 0)
	361	return g_err("gai", __FUNCTION__, ret);
	362
	363	list = string_append_listele_n(list, sep, uri.data, uri.size);
	364	}
	365	/NOTREACHED/
	366
	367	#else
	368
	369	expand_string_message =
	370	string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
	371	__FUNCTION__);
	372	return NULL;
	373
	374	#endif
	375	}
	376
	377	uschar *
	378	tls_cert_crl_uri(void * cert, uschar * mod)
	379	{
	380	int ret;
	381	uschar sep = '\n';
	382	gstring * list = NULL;
	383	uschar * ele;
	384
	385	if (mod)
	386	if (mod == '>' && ++mod) sep = *mod++;
	387
	388	for (int index = 0;; index++)
	389	{
	390	size_t siz = 0;
	391	switch(ret = gnutls_x509_crt_get_crl_dist_points(
	392	(gnutls_x509_crt_t)cert, index, NULL, &siz, NULL, NULL))
	393	{
	394	case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
	395	return string_from_gstring(list);
	396	case GNUTLS_E_SHORT_MEMORY_BUFFER:
	397	break;
	398	default:
	399	return g_err("gc0", __FUNCTION__, ret);
	400	}
	401
	402	ele = store_get(siz, TRUE);
	403	if ((ret = gnutls_x509_crt_get_crl_dist_points(
	404	(gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
	405	return g_err("gc1", __FUNCTION__, ret);
	406
	407	list = string_append_listele_n(list, sep, ele, siz);
	408	}
	409	/NOTREACHED/
	410	}
	411
	412
	413	/*****************************************************
	414	* Certificate operator routines
	415	*****************************************************/
	416	uschar *
	417	tls_cert_der_b64(void * cert)
	418	{
	419	size_t len = 0;
	420	uschar * cp = NULL;
	421	int fail;
	422
	423	if ( (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
	424	GNUTLS_X509_FMT_DER, cp, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER
	425	\|\| !(cp = store_get((int)len, TRUE), TRUE) /* tainted */
	426	\|\| (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
	427	GNUTLS_X509_FMT_DER, cp, &len))
	428	)
	429	{
	430	log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
	431	gnutls_strerror(fail));
	432	return NULL;
	433	}
	434	return b64encode(CUS cp, (int)len);
	435	}
	436
	437
	438	static uschar *
	439	fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo)
	440	{
	441	int ret;
	442	size_t siz = 0;
	443	uschar * cp;
	444	uschar * cp2;
	445
	446	if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, NULL, &siz))
	447	!= GNUTLS_E_SHORT_MEMORY_BUFFER)
	448	return g_err("gf0", __FUNCTION__, ret);
	449
	450	cp = store_get(siz*3+1, TRUE);
	451	if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
	452	return g_err("gf1", __FUNCTION__, ret);
	453
	454	for (uschar * cp3 = cp2 = cp+siz; cp < cp2; cp++)
	455	cp3 += sprintf(CS cp3, "%02X", *cp);
	456	return cp2;
	457	}
	458
	459
	460	uschar *
	461	tls_cert_fprt_md5(void * cert)
	462	{
	463	return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_MD5);
	464	}
	465
	466	uschar *
	467	tls_cert_fprt_sha1(void * cert)
	468	{
	469	return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA1);
	470	}
	471
	472	uschar *
	473	tls_cert_fprt_sha256(void * cert)
	474	{
	475	return fingerprint((gnutls_x509_crt_t)cert, GNUTLS_DIG_SHA256);
	476	}
	477
	478
	479	/* vi: aw ai sw=2
	480	*/
	481	/* End of tlscert-gnu.c */