1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) Jeremy Harris 2014 */
7 /* This file provides TLS/SSL support for Exim using the GnuTLS library,
8 one of the available supported implementations. This file is #included into
9 tls.c when USE_GNUTLS has been set.
12 #include <gnutls/gnutls.h>
13 /* needed for cert checks in verification and DN extraction: */
14 #include <gnutls/x509.h>
15 /* needed to disable PKCS11 autoload unless requested */
16 #if GNUTLS_VERSION_NUMBER >= 0x020c00
17 # include <gnutls/pkcs11.h>
21 /*****************************************************
22 * Export/import a certificate, binary/printable
23 *****************************************************/
25 tls_export_cert(uschar * buf, size_t buflen, void * cert)
28 void * reset_point = store_get(0);
32 if (gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
33 GNUTLS_X509_FMT_PEM, buf, &sz))
35 if ((cp = string_printing(buf)) != buf)
37 Ustrncpy(buf, cp, buflen);
41 store_reset(reset_point);
46 tls_import_cert(const uschar * buf, void ** cert)
48 void * reset_point = store_get(0);
50 gnutls_x509_crt_t crt;
54 gnutls_x509_crt_init(&crt);
56 datum.data = string_unprinting(US buf);
57 datum.size = Ustrlen(datum.data);
58 if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM))
63 store_reset(reset_point);
68 tls_free_cert(void * cert)
70 gnutls_x509_crt_deinit((gnutls_x509_crt_t) cert);
71 gnutls_global_deinit();
74 /*****************************************************
75 * Certificate field extraction routines
76 *****************************************************/
80 uschar * cp = store_get(32);
81 struct tm * tp = gmtime(&t);
82 size_t len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp);
83 return len > 0 ? cp : NULL;
89 tls_cert_issuer(void * cert)
92 size_t sz = sizeof(txt);
93 return ( gnutls_x509_crt_get_issuer_dn(cert, CS txt, &sz) == 0 )
94 ? string_copy(txt) : NULL;
98 tls_cert_not_after(void * cert)
101 gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert));
105 tls_cert_not_before(void * cert)
108 gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert));
112 tls_cert_serial_number(void * cert)
114 uschar bin[50], txt[150];
115 size_t sz = sizeof(bin);
119 if (gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
120 bin, &sz) || sz > sizeof(bin))
122 for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--)
123 sprintf(dp, "%.2x", *sp);
124 for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */
125 return string_copy(sp);
129 tls_cert_signature(void * cert)
137 if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len)) !=
138 GNUTLS_E_SHORT_MEMORY_BUFFER)
140 fprintf(stderr, "%s: gs0 fail: %s\n", __FUNCTION__, gnutls_strerror(ret));
144 cp1 = store_get(len*4+1);
146 if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len) != 0)
148 fprintf(stderr, "%s: gs1 fail\n", __FUNCTION__);
152 for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++)
153 sprintf(cp3, "%.2x ", *cp1);
160 tls_cert_signature_algorithm(void * cert)
162 gnutls_sign_algorithm_t algo =
163 gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert);
164 return algo < 0 ? NULL : string_copy(gnutls_sign_get_name(algo));
168 tls_cert_subject(void * cert)
170 static uschar txt[256];
171 size_t sz = sizeof(txt);
172 return ( gnutls_x509_crt_get_dn(cert, CS txt, &sz) == 0 )
173 ? string_copy(txt) : NULL;
177 tls_cert_version(void * cert)
179 return string_sprintf("%d", gnutls_x509_crt_get_version(cert));
183 tls_cert_ext_by_oid(void * cert, uschar * oid, int idx)
192 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
193 oid, idx, cp1, &siz, &crit);
194 if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
196 fprintf(stderr, "%s: ge0 fail: %s\n", __FUNCTION__, gnutls_strerror(ret));
200 cp1 = store_get(siz*4 + 1);
202 ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
203 oid, idx, cp1, &siz, &crit);
206 fprintf(stderr, "%s: ge1 fail: %s\n", __FUNCTION__, gnutls_strerror(ret));
210 /* binary data, DER encoded */
212 /* just dump for now */
213 for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++)
214 sprintf(cp3, "%.2x ", *cp1);
221 tls_cert_subject_altname(void * cert)
228 ret = gnutls_x509_crt_get_subject_alt_name ((gnutls_x509_crt_t)cert,
232 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
234 case GNUTLS_E_SHORT_MEMORY_BUFFER:
237 expand_string_message =
238 string_sprintf("%s: gs0 fail: %d %s\n", __FUNCTION__,
239 ret, gnutls_strerror(ret));
243 cp = store_get(siz+1);
244 ret = gnutls_x509_crt_get_subject_alt_name ((gnutls_x509_crt_t)cert,
248 expand_string_message =
249 string_sprintf("%s: gs1 fail: %d %s\n", __FUNCTION__,
250 ret, gnutls_strerror(ret));
258 tls_cert_ocsp_uri(void * cert)
260 #if GNUTLS_VERSION_NUMBER >= 0x030000
263 int ret = gnutls_x509_crt_get_authority_info_access((gnutls_x509_crt_t)cert,
264 0, GNUTLS_IA_OCSP_URI, &uri, &crit);
267 return string_copyn(uri.data, uri.size);
269 if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
270 expand_string_message =
271 string_sprintf("%s: gai fail: %d %s\n", __FUNCTION__,
272 ret, gnutls_strerror(ret));
278 expand_string_message =
279 string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n",
287 tls_cert_crl_uri(void * cert)
293 ret = gnutls_x509_crt_get_crl_dist_points ((gnutls_x509_crt_t)cert,
294 0, cp, &siz, NULL, NULL);
297 case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
299 case GNUTLS_E_SHORT_MEMORY_BUFFER:
302 expand_string_message =
303 string_sprintf("%s: gc0 fail: %d %s\n", __FUNCTION__,
304 ret, gnutls_strerror(ret));
308 cp = store_get(siz+1);
309 ret = gnutls_x509_crt_get_crl_dist_points ((gnutls_x509_crt_t)cert,
310 0, cp, &siz, NULL, NULL);
313 expand_string_message =
314 string_sprintf("%s: gs1 fail: %d %s\n", __FUNCTION__,
315 ret, gnutls_strerror(ret));
325 /* End of tlscert-gnu.c */