diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-05-18 22:17:34 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2010-06-03 19:42:02 +0200 |
commit | 7235776221b10fb6ab2640dad84b8fde7a21055d (patch) | |
tree | 2578c65b79ac9c8c952392dcc3338ba42678bc05 /lib/gnutls_x509.c | |
parent | d3507b551241150eef8b4190b75a20ae235691ed (diff) | |
download | gnutls-7235776221b10fb6ab2640dad84b8fde7a21055d.tar.gz |
The gnutls-cli --x509cafile can now be a PKCS #11 URL. It can read gnome-keyring's
certificates and use them in the trusted list.
Diffstat (limited to 'lib/gnutls_x509.c')
-rw-r--r-- | lib/gnutls_x509.c | 75 |
1 files changed, 74 insertions, 1 deletions
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 24593d10a4..2241d94bfc 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -562,6 +562,68 @@ cleanup: /* Reads a private key from a token. */ +static int read_cas_url (gnutls_certificate_credentials_t res, const char* url) +{ +int ret; +gnutls_x509_crt_t * xcrt_list = NULL; +gnutls_pkcs11_crt_t *pcrt_list=NULL; +unsigned int pcrt_list_size = 0; + + ret = gnutls_pkcs11_crt_list_import_url( NULL, &pcrt_list_size, url, GNUTLS_PKCS11_CRT_ATTR_TRUSTED); + if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + return ret; + } + + if (pcrt_list_size == 0) { + gnutls_assert(); + return 0; + } + + pcrt_list = gnutls_malloc(sizeof(*pcrt_list)*pcrt_list_size); + if (pcrt_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = gnutls_pkcs11_crt_list_import_url( pcrt_list, &pcrt_list_size, url, GNUTLS_PKCS11_CRT_ATTR_TRUSTED); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + xcrt_list = gnutls_malloc(sizeof(*xcrt_list)*pcrt_list_size); + if (xcrt_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + ret = gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size, pcrt_list, 0); + if (xcrt_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + res->x509_ca_list = xcrt_list; + res->x509_ncas = pcrt_list_size; + + gnutls_free(pcrt_list); + + return pcrt_list_size; + +cleanup: + gnutls_free(xcrt_list); + gnutls_free(pcrt_list); + + return ret; + +} + + +/* Reads a private key from a token. + */ static int read_cert_url (gnutls_certificate_credentials_t res, const char* url) { int ret; @@ -883,6 +945,9 @@ gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res, * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by * this function. * + * This function can also accept PKCS #11 URLs. In that case it + * will import the private key and certificate indicated by the urls. + * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int @@ -1285,6 +1350,9 @@ gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res, * the client if a certificate request is sent. This can be disabled * using gnutls_certificate_send_x509_rdn_sequence(). * + * This function can also accept PKCS #11 URLs. In that case it + * will import all certificates that are marked as trusted. + * * Returns: number of certificates processed, or a negative value on * error. **/ @@ -1295,8 +1363,13 @@ gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res, { int ret, ret2; size_t size; - char *data = read_binary_file (cafile, &size); + char* data; + + if (strncmp(cafile, "pkcs11:", 7)==0) { + return read_cas_url(res, cafile); + } + data = read_binary_file (cafile, &size); if (data == NULL) { gnutls_assert (); |