src/src/tlscert-gnu.c

   1 /*************************************************
   2 *     Exim - an Internet mail transport agent    *
   3 *************************************************/
   4
   5 /* Copyright (c) Jeremy Harris 2014 */
   6
   7 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
   8 one of the available supported implementations.  This file is #included into
   9 tls.c when USE_GNUTLS has been set.
  10 */
  11
  12 #include <gnutls/gnutls.h>
  13 /* needed for cert checks in verification and DN extraction: */
  14 #include <gnutls/x509.h>
  15 /* needed to disable PKCS11 autoload unless requested */
  16 #if GNUTLS_VERSION_NUMBER >= 0x020c00
  17 # include <gnutls/pkcs11.h>
  18 #endif
  19
  20
  21 /*****************************************************
  22 *  Export/import a certificate, binary/printable
  23 *****************************************************/
  24 int
  25 tls_export_cert(uschar * buf, size_t buflen, void * cert)
  26 {
  27 size_t sz = buflen;
  28 void * reset_point = store_get(0);
  29 int fail = 0;
  30 uschar * cp;
  31
  32 if (gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
  33     GNUTLS_X509_FMT_PEM, buf, &sz))
  34   return 1;
  35 if ((cp = string_printing(buf)) != buf)
  36   {
  37   Ustrncpy(buf, cp, buflen);
  38   if (buf[buflen-1])
  39     fail = 1;
  40   }
  41 store_reset(reset_point);
  42 return fail;
  43 }
  44
  45 int
  46 tls_import_cert(const uschar * buf, void ** cert)
  47 {
  48 void * reset_point = store_get(0);
  49 gnutls_datum_t datum;
  50 gnutls_x509_crt_t crt;
  51 int fail = 0;
  52
  53 gnutls_global_init();
  54 gnutls_x509_crt_init(&crt);
  55
  56 datum.data = string_unprinting(US buf);
  57 datum.size = Ustrlen(datum.data);
  58 if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM))
  59   fail = 1;
  60 else
  61   *cert = (void *)crt;
  62
  63 store_reset(reset_point);
  64 return fail;
  65 }
  66
  67 void
  68 tls_free_cert(void * cert)
  69 {
  70 gnutls_x509_crt_deinit((gnutls_x509_crt_t) cert);
  71 gnutls_global_deinit();
  72 }
  73
  74 /*****************************************************
  75 *  Certificate field extraction routines
  76 *****************************************************/
  77 static uschar *
  78 time_copy(time_t t)
  79 {
  80 uschar * cp = store_get(32);
  81 struct tm * tp = gmtime(&t);
  82 size_t len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp);
  83 return len > 0 ? cp : NULL;
  84 }
  85
  86 /**/
  87
  88 uschar *
  89 tls_cert_issuer(void * cert)
  90 {
  91 uschar txt[256];
  92 size_t sz = sizeof(txt);
  93 return ( gnutls_x509_crt_get_issuer_dn(cert, CS txt, &sz) == 0 )
  94   ? string_copy(txt) : NULL;
  95 }
  96
  97 uschar *
  98 tls_cert_not_after(void * cert)
  99 {
 100 return time_copy(
 101   gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert));
 102 }
 103
 104 uschar *
 105 tls_cert_not_before(void * cert)
 106 {
 107 return time_copy(
 108   gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert));
 109 }
 110
 111 uschar *
 112 tls_cert_serial_number(void * cert)
 113 {
 114 uschar bin[50], txt[150];
 115 size_t sz = sizeof(bin);
 116 uschar * sp;
 117 uschar * dp;
 118
 119 if (gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
 120     bin, &sz) || sz > sizeof(bin))
 121   return NULL;
 122 for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--)
 123   sprintf(dp, "%.2x", *sp);
 124 for(sp = txt; sp[0]=='0' && sp[1]; ) sp++;      /* leading zeroes */
 125 return string_copy(sp);
 126 }
 127
 128 uschar *
 129 tls_cert_signature(void * cert)
 130 {
 131 uschar * cp1;
 132 uschar * cp2;
 133 uschar * cp3;
 134 size_t len = 0;
 135 int ret;
 136
 137 if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len)) !=
 138         GNUTLS_E_SHORT_MEMORY_BUFFER)
 139   {
 140   fprintf(stderr, "%s: gs0 fail: %s\n", __FUNCTION__, gnutls_strerror(ret));
 141   return NULL;
 142   }
 143
 144 cp1 = store_get(len*4+1);
 145
 146 if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len) != 0)
 147   {
 148   fprintf(stderr, "%s: gs1 fail\n", __FUNCTION__);
 149   return NULL;
 150   }
 151
 152 for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++)
 153   sprintf(cp3, "%.2x ", *cp1);
 154 cp3[-1]= '\0';
 155
 156 return cp2;
 157 }
 158
 159 uschar *
 160 tls_cert_signature_algorithm(void * cert)
 161 {
 162 gnutls_sign_algorithm_t algo =
 163   gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
 164 return algo < 0 ? NULL : string_copy(gnutls_sign_get_name(algo));
 165 }
 166
 167 uschar *
 168 tls_cert_subject(void * cert)
 169 {
 170 static uschar txt[256];
 171 size_t sz = sizeof(txt);
 172 return ( gnutls_x509_crt_get_dn(cert, CS txt, &sz) == 0 )
 173   ? string_copy(txt) : NULL;
 174 }
 175
 176 uschar *
 177 tls_cert_version(void * cert)
 178 {
 179 return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
 180 }
 181
 182 uschar *
 183 tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
 184 {
 185 uschar * cp1 = NULL;
 186 uschar * cp2;
 187 uschar * cp3;
 188 size_t siz = 0;
 189 unsigned int crit;
 190 int ret;
 191
 192 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
 193   oid, idx, cp1, &siz, &crit);
 194 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
 195   {
 196   fprintf(stderr, "%s: ge0 fail: %s\n", __FUNCTION__, gnutls_strerror(ret));
 197   return NULL;
 198   }
 199
 200 cp1 = store_get(siz*4 + 1);
 201
 202 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
 203   oid, idx, cp1, &siz, &crit);
 204 if (ret < 0)
 205   {
 206   fprintf(stderr, "%s: ge1 fail: %s\n", __FUNCTION__, gnutls_strerror(ret));
 207   return NULL;
 208   }
 209
 210 /* binary data, DER encoded */
 211
 212 /* just dump for now */
 213 for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++)
 214   sprintf(cp3, "%.2x ", *cp1);
 215 cp3[-1]= '\0';
 216
 217 return cp2;
 218 }
 219
 220 uschar *
 221 tls_cert_subject_altname(void * cert)
 222 {
 223 uschar * cp = NULL;
 224 size_t siz = 0;
 225 unsigned int crit;
 226 int ret;
 227
 228 ret = gnutls_x509_crt_get_subject_alt_name ((gnutls_x509_crt_t)cert,
 229   0, cp, &siz, &crit);
 230 switch(ret)
 231   {
 232   case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
 233     return NULL;
 234   case GNUTLS_E_SHORT_MEMORY_BUFFER:
 235     break;
 236   default:
 237     expand_string_message =
 238       string_sprintf("%s: gs0 fail: %d %s\n", __FUNCTION__,
 239         ret, gnutls_strerror(ret));
 240     return NULL;
 241   }
 242
 243 cp = store_get(siz+1);
 244 ret = gnutls_x509_crt_get_subject_alt_name ((gnutls_x509_crt_t)cert,
 245   0, cp, &siz, &crit);
 246 if (ret < 0)
 247   {
 248   expand_string_message =
 249     string_sprintf("%s: gs1 fail: %d %s\n", __FUNCTION__,
 250       ret, gnutls_strerror(ret));
 251   return NULL;
 252   }
 253 cp[siz] = '\0';
 254 return cp;
 255 }
 256
 257 uschar *
 258 tls_cert_ocsp_uri(void * cert)
 259 {
 260 #if GNUTLS_VERSION_NUMBER >= 0x030000
 261 gnutls_datum_t uri;
 262 unsigned int crit;
 263 int ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
 264         0, GNUTLS_IA_OCSP_URI, &uri, &crit);
 265
 266 if (ret >= 0)
 267   return string_copyn(uri.data, uri.size);
 268
 269 if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
 270   expand_string_message =
 271     string_sprintf("%s: gai fail: %d %s\n", __FUNCTION__,
 272       ret, gnutls_strerror(ret));
 273
 274 return NULL;
 275
 276 #else
 277
 278 expand_string_message =
 279   string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
 280     __FUNCTION__);
 281 return NULL;
 282
 283 #endif
 284 }
 285
 286 uschar *
 287 tls_cert_crl_uri(void * cert)
 288 {
 289 int ret;
 290 uschar * cp = NULL;
 291 size_t siz = 0;
 292
 293 ret = gnutls_x509_crt_get_crl_dist_points ((gnutls_x509_crt_t)cert,
 294   0, cp, &siz, NULL, NULL);
 295 switch(ret)
 296   {
 297   case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
 298     return NULL;
 299   case GNUTLS_E_SHORT_MEMORY_BUFFER:
 300     break;
 301   default:
 302     expand_string_message =
 303       string_sprintf("%s: gc0 fail: %d %s\n", __FUNCTION__,
 304         ret, gnutls_strerror(ret));
 305     return NULL;
 306   }
 307
 308 cp = store_get(siz+1);
 309 ret = gnutls_x509_crt_get_crl_dist_points ((gnutls_x509_crt_t)cert,
 310   0, cp, &siz, NULL, NULL);
 311 if (ret < 0)
 312   {
 313   expand_string_message =
 314     string_sprintf("%s: gs1 fail: %d %s\n", __FUNCTION__,
 315       ret, gnutls_strerror(ret));
 316   return NULL;
 317   }
 318 cp[siz] = '\0';
 319 return cp;
 320 }
 321
 322
 323 /* vi: aw ai sw=2
 324 */
 325 /* End of tlscert-gnu.c */