aboutsummaryrefslogtreecommitdiff
path: root/src/daemon/https/tls/auth_cert.h
blob: 395fdd29fcb0cde7e5881a3565d624dd001180a1 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
/*
 * Copyright (C) 2002, 2003, 2004, 2005, 2007 Free Software Foundation
 *
 * Author: Nikos Mavrogiannopoulos
 *
 * This file is part of GNUTLS.
 *
 * The GNUTLS library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public License
 * as published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
 * USA
 *
 */

#ifndef AUTH_CERT_H
#define AUTH_CERT_H

#include "gnutls_cert.h"
#include "gnutls_auth.h"
#include "auth_dh_common.h"
#include "x509.h"

/* This structure may be complex, but it's the only way to
 * support a server that has multiple certificates
 */

typedef struct MHD_gtls_certificate_credentials_st
{
  MHD_gtls_dh_params_t dh_params;
  MHD_gtls_rsa_params_t rsa_params;
  /* this callback is used to retrieve the DH or RSA
   * parameters.
   */
  MHD_gnutls_params_function *params_func;

  MHD_gnutls_cert **cert_list;
  /* contains a list of a list of certificates.
   * eg (X509): [0] certificate1, certificate11, certificate111
   * (if more than one, one certificate certifies the one before)
   *       [1] certificate2, certificate22, ...
   */
  unsigned *cert_list_length;
  /* contains the number of the certificates in a
   * row (should be 1 for OpenPGP keys).
   */
  unsigned ncerts;              /* contains the number of columns in cert_list.
                                 * This is the same with the number of pkeys.
                                 */

  MHD_gnutls_privkey *pkey;
  /* private keys. It contains ncerts private
   * keys. pkey[i] corresponds to certificate in
   * cert_list[i][0].
   */

  /* OpenPGP specific stuff */

#ifndef KEYRING_HACK
  MHD_gnutls_openpgp_keyring_t keyring;
#else
  MHD_gnutls_datum_t keyring;
  int keyring_format;
#endif

  /* X509 specific stuff */

  MHD_gnutls_x509_crt_t *x509_ca_list;
  unsigned x509_ncas;           /* number of CAs in the ca_list
                                 */

  MHD_gnutls_x509_crl_t *x509_crl_list;
  unsigned x509_ncrls;          /* number of CRLs in the crl_list
                                 */

  unsigned int verify_flags;    /* flags to be used at
                                 * certificate verification.
                                 */
  unsigned int verify_depth;
  unsigned int verify_bits;

  /* holds a sequence of the
   * RDNs of the CAs above.
   * This is better than
   * generating on every handshake.
   */
  MHD_gnutls_datum_t x509_rdn_sequence;

  MHD_gnutls_certificate_client_retrieve_function *client_get_cert_callback;
  MHD_gnutls_certificate_server_retrieve_function *server_get_cert_callback;
} MHD_gtls_cert_credentials_st;

typedef struct MHD_gtls_rsa_info_st
{
  MHD_gnutls_datum_t modulus;
  MHD_gnutls_datum_t exponent;
} rsa_info_st;

typedef struct MHD_gtls_cert_auth_info_st
{
  int certificate_requested;    /* if the peer requested certificate
                                 * this is non zero;
                                 */

  /* These (dh/rsa) are just copies from the credentials_t structure.
   * They must be freed.
   */
  MHD_gtls_dh_info_st dh;
  rsa_info_st rsa_export;

  MHD_gnutls_datum_t *raw_certificate_list;     /* holds the raw certificate of the
                                                 * peer.
                                                 */
  unsigned int ncerts;          /* holds the size of the list above */
} *cert_auth_info_t;

typedef struct MHD_gtls_cert_auth_info_st cert_auth_info_st;

void MHD_gtls_free_rsa_info (rsa_info_st * rsa);

/* AUTH X509 functions */
int MHD_gtls_gen_cert_server_certificate (MHD_gtls_session_t, opaque **);
int MHD_gtls_gen_cert_client_certificate (MHD_gtls_session_t, opaque **);
int MHD_gtls_gen_cert_client_cert_vrfy (MHD_gtls_session_t, opaque **);
int MHD_gtls_gen_cert_server_cert_req (MHD_gtls_session_t, opaque **);
int MHD_gtls_proc_cert_cert_req (MHD_gtls_session_t, opaque *, size_t);
int MHD_gtls_proc_cert_client_cert_vrfy (MHD_gtls_session_t, opaque *,
                                         size_t);
int MHD_gtls_proc_cert_server_certificate (MHD_gtls_session_t, opaque *,
                                           size_t);
int MHD_gtls_get_selected_cert (MHD_gtls_session_t session,
                                MHD_gnutls_cert ** apr_cert_list,
                                int *apr_cert_list_length,
                                MHD_gnutls_privkey ** apr_pkey);

int MHD_gtls_server_select_cert (struct MHD_gtls_session_int *,
                                 enum MHD_GNUTLS_PublicKeyAlgorithm);
void MHD_gtls_selected_certs_deinit (MHD_gtls_session_t session);
void MHD_gtls_selected_certs_set (MHD_gtls_session_t session,
                                  MHD_gnutls_cert * certs, int ncerts,
                                  MHD_gnutls_privkey * key, int need_free);

#define MHD__gnutls_proc_cert_client_certificate MHD_gtls_proc_cert_server_certificate

MHD_gtls_rsa_params_t
MHD_gtls_certificate_get_rsa_params (MHD_gtls_rsa_params_t rsa_params,
                                     MHD_gnutls_params_function * func,
                                     MHD_gtls_session_t);

#endif