diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-05-18 22:17:34 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-05-18 23:52:02 +0200 |
commit | 61977e2157e742b5d3b3fb0c98f659c983f1b850 (patch) | |
tree | c0fa0014ae90d8e6e569cd17dfc78854320452c2 | |
parent | 11e038dfb69c3258fea776cae13376d4c8f27909 (diff) | |
download | gnutls-61977e2157e742b5d3b3fb0c98f659c983f1b850.tar.gz |
The gnutls-cli --x509cafile can now be a PKCS #11 URL. It can read gnome-keyring's
certificates and use them in the trusted list.
-rw-r--r-- | lib/Makefile.am | 9 | ||||
-rw-r--r-- | lib/configure.ac | 2 | ||||
-rw-r--r-- | lib/gnutls_x509.c | 75 | ||||
-rw-r--r-- | src/cli.c | 1 |
4 files changed, 79 insertions, 8 deletions
diff --git a/lib/Makefile.am b/lib/Makefile.am index 8446975c05..b80467eb88 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -82,11 +82,8 @@ COBJECTS = gnutls_record.c gnutls_compress.c debug.c gnutls_cipher.c \ auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \ crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c cryptodev.c \ rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c ext_signature.c \ - crypto-api.c ext_safe_renegotiation.c gnutls_privkey.c - -if ENABLE_PKCS11 -COBJECTS += pkcs11.c pkcs11_privkey.c -endif + crypto-api.c ext_safe_renegotiation.c gnutls_privkey.c \ + pkcs11.c pkcs11_privkey.c if ENABLE_OPRFI COBJECTS += $(OPRFI_COBJECTS) @@ -138,7 +135,7 @@ else libgnutls_la_LDFLAGS += $(LTLIBTASN1) endif -if ENABLE_PKCS11 +if ENABLE_PAKCHOIS libgnutls_la_LDFLAGS += $(LTLIBPAKCHOIS) endif diff --git a/lib/configure.ac b/lib/configure.ac index fdb3857f90..60a2fd1aec 100644 --- a/lib/configure.ac +++ b/lib/configure.ac @@ -94,7 +94,7 @@ if test x$ac_pakchois != xno; then else AC_MSG_RESULT(no) fi -AM_CONDITIONAL(ENABLE_PKCS11, test "$ac_cv_libpakchois" = "yes") +AM_CONDITIONAL(ENABLE_PAKCHOIS, test "$ac_cv_libpakchois" = "yes") lgl_INIT diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index b2ae575501..78953c43a7 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -562,6 +562,68 @@ cleanup: /* Reads a private key from a token. */ +static int read_cas_url (gnutls_certificate_credentials_t res, const char* url) +{ +int ret; +gnutls_x509_crt_t * xcrt_list = NULL; +gnutls_pkcs11_crt_t *pcrt_list=NULL; +unsigned int pcrt_list_size = 0; + + ret = gnutls_pkcs11_crt_list_import_url( NULL, &pcrt_list_size, url, GNUTLS_PKCS11_CRT_ATTR_TRUSTED); + if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + return ret; + } + + if (pcrt_list_size == 0) { + gnutls_assert(); + return 0; + } + + pcrt_list = gnutls_malloc(sizeof(*pcrt_list)*pcrt_list_size); + if (pcrt_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = gnutls_pkcs11_crt_list_import_url( pcrt_list, &pcrt_list_size, url, GNUTLS_PKCS11_CRT_ATTR_TRUSTED); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + xcrt_list = gnutls_malloc(sizeof(*xcrt_list)*pcrt_list_size); + if (xcrt_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + ret = gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size, pcrt_list, 0); + if (xcrt_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + res->x509_ca_list = xcrt_list; + res->x509_ncas = pcrt_list_size; + + gnutls_free(pcrt_list); + + return pcrt_list_size; + +cleanup: + gnutls_free(xcrt_list); + gnutls_free(pcrt_list); + + return ret; + +} + + +/* Reads a private key from a token. + */ static int read_cert_url (gnutls_certificate_credentials_t res, const char* url) { int ret; @@ -883,6 +945,9 @@ gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res, * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by * this function. * + * This function can also accept PKCS #11 URLs. In that case it + * will import the private key and certificate indicated by the urls. + * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int @@ -1285,6 +1350,9 @@ gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res, * the client if a certificate request is sent. This can be disabled * using gnutls_certificate_send_x509_rdn_sequence(). * + * This function can also accept PKCS #11 URLs. In that case it + * will import all certificates that are marked as trusted. + * * Returns: number of certificates processed, or a negative value on * error. **/ @@ -1295,8 +1363,13 @@ gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res, { int ret, ret2; size_t size; - char *data = read_binary_file (cafile, &size); + char* data; + + if (strncmp(cafile, "pkcs11:", 7)==0) { + return read_cas_url(res, cafile); + } + data = read_binary_file (cafile, &size); if (data == NULL) { gnutls_assert (); @@ -582,6 +582,7 @@ init_tls_session (const char *hostname) gnutls_certificate_set_retrieve_function (xcred, cert_callback); gnutls_certificate_set_verify_function (xcred, cert_verify_callback); + gnutls_certificate_set_verify_flags(xcred, GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT); /* send the fingerprint */ #ifdef ENABLE_OPENPGP |