introduce gnutls_certificate_set_x509_system_trust

gnutls_certificate_set_x509_system_trust() imports the trusted root CA's
from a compile time defined location. That way applications don't
need to know.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

7 files changed, 115 insertions, 16 deletions

diff --git a/configure.ac b/configure.ac
index ee37707d23..670190d90d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -285,6 +285,41 @@ AC_PROG_LN_S
 AC_LIBTOOL_WIN32_DLL
 AC_PROG_LIBTOOL
 
+AC_ARG_WITH([default-trust-store-pkcs11],
+  [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
+    [use the given pkcs11 uri as default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" != x; then
+  if test "x$with_p11_kit" = xno; then
+    AC_MSG_ERROR([cannot use pkcs11 store without p11-kit])
+  fi
+  AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_PKCS11],
+    ["$with_default_trust_store_pkcs11"], [use the given pkcs11 uri as default trust store])
+fi
+
+AC_ARG_WITH([default-trust-store-file],
+  [AS_HELP_STRING([--with-default-trust-store-file=FILE],
+    [use the given file default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then
+  # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html
+  for i in \
+    /etc/ssl/certs/ca-certificates.crt \
+    /etc/pki/tls/cert.pem \
+    /usr/local/share/certs/ca-root-nss.crt
+    do
+    if test -e $i; then
+      with_default_trust_store_file="$i"
+      break
+    fi
+  done
+fi
+
+if test "x$with_default_trust_store_file" != x; then
+  AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE],
+    ["$with_default_trust_store_file"], [use the given file default trust store])
+fi
+
 dnl Guile bindings.
 opt_guile_bindings=yes
 AC_MSG_CHECKING([whether building Guile bindings])
@@ -518,6 +553,8 @@ if features are disabled)
   SRP support:      $ac_enable_srp
   PSK support:      $ac_enable_psk
   Anon auth support:$ac_enable_anon
+  Trust store pkcs: $with_default_trust_store_pkcs11
+  Trust store file: $with_default_trust_store_file
 ])
 
 AC_MSG_NOTICE([Optional applications:
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 6ae5ecb090..2879fcde98 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -719,6 +719,7 @@ FUNCS += functions/gnutls_certificate_free_crls
 FUNCS += functions/gnutls_certificate_set_dh_params
 FUNCS += functions/gnutls_certificate_set_verify_flags
 FUNCS += functions/gnutls_certificate_set_verify_limits
+FUNCS += functions/gnutls_certificate_set_x509_system_trust
 FUNCS += functions/gnutls_certificate_set_x509_trust_file
 FUNCS += functions/gnutls_certificate_set_x509_trust_mem
 FUNCS += functions/gnutls_certificate_set_x509_crl_file
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 0886d2575c..04f0eae727 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -314,6 +314,7 @@ APIMANS += gnutls_certificate_free_crls.3
 APIMANS += gnutls_certificate_set_dh_params.3
 APIMANS += gnutls_certificate_set_verify_flags.3
 APIMANS += gnutls_certificate_set_verify_limits.3
+APIMANS += gnutls_certificate_set_x509_system_trust.3
 APIMANS += gnutls_certificate_set_x509_trust_file.3
 APIMANS += gnutls_certificate_set_x509_trust_mem.3
 APIMANS += gnutls_certificate_set_x509_crl_file.3
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 3275395478..2b28edd6b5 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -1588,6 +1588,61 @@ gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred,
   return ret;
 }
 
+#ifdef DEFAULT_TRUST_STORE_FILE
+static int
+_gnutls_certificate_set_x509_system_trust_file (gnutls_certificate_credentials_t cred)
+{
+  int ret;
+  gnutls_datum_t cas;
+  size_t size;
+
+  cas.data = (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE, &size);
+  if (cas.data == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_FILE_ERROR;
+    }
+
+  cas.size = size;
+
+  ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM);
+
+  free (cas.data);
+
+  if (ret < 0)
+    {
+      gnutls_assert ();
+    }
+
+  return ret;
+}
+#endif
+
+/**
+ * gnutls_certificate_set_x509_system_trust:
+ * @cred: is a #gnutls_certificate_credentials_t structure.
+ *
+ * This function adds the system's default trusted CAs in order to
+ * verify client or server certificates.
+ *
+ **/
+int
+gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
+{
+  int ret, r = 0;
+#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
+  ret = read_cas_url (cred, DEFAULT_TRUST_STORE_PKCS11);
+  if (ret > 0)
+    r += ret;
+#endif
+#ifdef DEFAULT_TRUST_STORE_FILE
+  ret = _gnutls_certificate_set_x509_system_trust_file(cred);
+  if (ret > 0)
+    r += ret;
+#endif
+  return r;
+}
+
 static int
 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist, 
                    const char * input_crl, unsigned int input_crl_size)
diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 5eff94ab66..ed4d794876 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -1103,6 +1103,9 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
                                              unsigned int max_depth);
 
   int
+    gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred);
+
+  int
     gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t
                                             cred, const char *cafile,
                                             gnutls_x509_crt_fmt_t type);
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 33df09be8d..acde6ee08c 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -790,6 +790,11 @@ GNUTLS_3_0_0 {
 	gnutls_pk_to_sign;
 } GNUTLS_2_12;
 
+GNUTLS_3_0_1 {
+  global:
+	gnutls_certificate_set_x509_system_trust;
+} GNUTLS_3_0_0;
+
 GNUTLS_PRIVATE {
   global:
     # Internal symbols needed by libgnutls-extra:
diff --git a/src/cli.c b/src/cli.c
index 1cdc1df173..cea0992cd3 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -479,9 +479,6 @@ cert_verify_callback (gnutls_session_t session)
   int ssh = ENABLED_OPT(TOFU);
   const char* txt_service;
 
-  if (!x509_cafile && !pgp_keyring)
-    return 0;
-    
   rc = cert_verify(session, hostname);
   if (rc == 0)
     {
@@ -1184,11 +1181,6 @@ const char* rest = NULL;
   
   if (HAVE_OPT(X509CAFILE))
     x509_cafile = OPT_ARG(X509CAFILE);
-  else
-    {
-      if (access(DEFAULT_CA_FILE, R_OK) == 0)
-        x509_cafile = DEFAULT_CA_FILE;
-    }
   
   if (HAVE_OPT(X509CRLFILE))
     x509_crlfile = OPT_ARG(X509CRLFILE);
@@ -1419,15 +1411,20 @@ init_global_tls_stuff (void)
     {
       ret = gnutls_certificate_set_x509_trust_file (xcred,
                                                     x509_cafile, x509ctype);
-      if (ret < 0)
-        {
-          fprintf (stderr, "Error setting the x509 trust file\n");
-        }
-      else
-        {
-          printf ("Processed %d CA certificate(s).\n", ret);
-        }
     }
+  else
+    {
+      ret = gnutls_certificate_set_x509_system_trust (xcred);
+    }
+  if (ret < 0)
+    {
+      fprintf (stderr, "Error setting the x509 trust file\n");
+    }
+  else
+    {
+      printf ("Processed %d CA certificate(s).\n", ret);
+    }
+
   if (x509_crlfile != NULL)
     {
       ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile,