The gnutls-cli --x509cafile can now be a PKCS #11 URL. It can read gnome-keyring's

certificates and use them in the trusted list.

4 files changed, 79 insertions, 8 deletions

diff --git a/lib/Makefile.am b/lib/Makefile.am
index 8446975c05..b80467eb88 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -82,11 +82,8 @@ COBJECTS = gnutls_record.c gnutls_compress.c debug.c gnutls_cipher.c	\
 	auth_dh_common.c gnutls_helper.c gnutls_supplemental.c		\
 	crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c cryptodev.c	\
 	rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c ext_signature.c \
-	crypto-api.c ext_safe_renegotiation.c gnutls_privkey.c
-
-if ENABLE_PKCS11
-COBJECTS += pkcs11.c pkcs11_privkey.c
-endif
+	crypto-api.c ext_safe_renegotiation.c gnutls_privkey.c \
+	pkcs11.c pkcs11_privkey.c
 
 if ENABLE_OPRFI
 COBJECTS += $(OPRFI_COBJECTS)
@@ -138,7 +135,7 @@ else
 libgnutls_la_LDFLAGS += $(LTLIBTASN1)
 endif
 
-if ENABLE_PKCS11
+if ENABLE_PAKCHOIS
 libgnutls_la_LDFLAGS += $(LTLIBPAKCHOIS)
 endif
 
diff --git a/lib/configure.ac b/lib/configure.ac
index fdb3857f90..60a2fd1aec 100644
--- a/lib/configure.ac
+++ b/lib/configure.ac
@@ -94,7 +94,7 @@ if test x$ac_pakchois != xno; then
 else
  AC_MSG_RESULT(no)
 fi
-AM_CONDITIONAL(ENABLE_PKCS11, test "$ac_cv_libpakchois" = "yes")
+AM_CONDITIONAL(ENABLE_PAKCHOIS, test "$ac_cv_libpakchois" = "yes")
 
 lgl_INIT
 
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index b2ae575501..78953c43a7 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -562,6 +562,68 @@ cleanup:
 
 /* Reads a private key from a token.
  */
+static int read_cas_url (gnutls_certificate_credentials_t res, const char* url)
+{
+int ret;
+gnutls_x509_crt_t * xcrt_list = NULL;
+gnutls_pkcs11_crt_t *pcrt_list=NULL;
+unsigned int pcrt_list_size = 0;
+
+	ret = gnutls_pkcs11_crt_list_import_url( NULL, &pcrt_list_size, url, GNUTLS_PKCS11_CRT_ATTR_TRUSTED);
+	if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) {
+		gnutls_assert();
+		return ret;
+	}
+                                                        
+	if (pcrt_list_size == 0) {
+		gnutls_assert();
+		return 0;
+	}
+	
+	pcrt_list = gnutls_malloc(sizeof(*pcrt_list)*pcrt_list_size);
+	if (pcrt_list == NULL) {
+		gnutls_assert();
+		return GNUTLS_E_MEMORY_ERROR;
+	}
+	
+	ret = gnutls_pkcs11_crt_list_import_url( pcrt_list, &pcrt_list_size, url, GNUTLS_PKCS11_CRT_ATTR_TRUSTED);
+	if (ret < 0) {
+		gnutls_assert();
+		goto cleanup;
+	}
+
+	xcrt_list = gnutls_malloc(sizeof(*xcrt_list)*pcrt_list_size);
+	if (xcrt_list == NULL) {
+		gnutls_assert();
+		ret = GNUTLS_E_MEMORY_ERROR;
+		goto cleanup;
+	}
+	
+	ret = gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size, pcrt_list, 0);
+	if (xcrt_list == NULL) {
+		gnutls_assert();
+		ret = GNUTLS_E_MEMORY_ERROR;
+		goto cleanup;
+	}
+
+	res->x509_ca_list = xcrt_list;
+	res->x509_ncas = pcrt_list_size;
+	
+	gnutls_free(pcrt_list);
+	
+	return pcrt_list_size;
+
+cleanup:
+	gnutls_free(xcrt_list);
+	gnutls_free(pcrt_list);
+
+	return ret;
+
+}
+
+
+/* Reads a private key from a token.
+ */
 static int read_cert_url (gnutls_certificate_credentials_t res, const char* url)
 {
 int ret;
@@ -883,6 +945,9 @@ gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res,
  * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
  * this function.
  *
+ * This function can also accept PKCS #11 URLs. In that case it
+ * will import the private key and certificate indicated by the urls.
+ *
  * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
  **/
 int
@@ -1285,6 +1350,9 @@ gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res,
  * the client if a certificate request is sent. This can be disabled
  * using gnutls_certificate_send_x509_rdn_sequence().
  *
+ * This function can also accept PKCS #11 URLs. In that case it
+ * will import all certificates that are marked as trusted.
+ *
  * Returns: number of certificates processed, or a negative value on
  * error.
  **/
@@ -1295,8 +1363,13 @@ gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res,
 {
   int ret, ret2;
   size_t size;
-  char *data = read_binary_file (cafile, &size);
+  char* data;
+  
+  if (strncmp(cafile, "pkcs11:", 7)==0) {
+    return read_cas_url(res, cafile);
+  }
 
+  data = read_binary_file (cafile, &size);
   if (data == NULL)
     {
       gnutls_assert ();
diff --git a/src/cli.c b/src/cli.c
index cbf9452fa8..2d76ec8dbe 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -582,6 +582,7 @@ init_tls_session (const char *hostname)
 
   gnutls_certificate_set_retrieve_function (xcred, cert_callback);
   gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
+  gnutls_certificate_set_verify_flags(xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
 
   /* send the fingerprint */
 #ifdef ENABLE_OPENPGP