diff options
| author | Simon Josefsson <simon@josefsson.org> | 2007-08-10 15:20:40 +0200 |
|---|---|---|
| committer | Simon Josefsson <simon@josefsson.org> | 2007-08-10 15:20:40 +0200 |
| commit | 4431c4369db575dc8ecd8ec3622bc2dfc9bee725 (patch) | |
| tree | 00edcc793ad683e774bf21e2f3befe1ab6c5e16e /lib/gnutls_x509.c | |
| parent | 12aaffb7aaa04b48a988b68449c64cc3c2b2d0d3 (diff) | |
| download | gnutls-4431c4369db575dc8ecd8ec3622bc2dfc9bee725.tar.gz | |
External signing callback interface.
* includes/gnutls/gnutls.h.in (gnutls_sign_func): New type.
(gnutls_sign_callback_set): New function.
* includes/gnutls/x509.h (gnutls_x509_privkey_sign_hash): New
function.
* lib/gnutls_x509.c (gnutls_certificate_set_x509_key_mem): Handle
NULL key. Doc fix.
* lib/gnutls_sig.c (_gnutls_tls_sign_hdata): Pass session to
_gnutls_tls_sign.
(_gnutls_tls_sign_params): Likewise.
(_gnutls_tls_sign): Add new parameter 'session'. Call sign
callback if appropriate.
(gnutls_sign_callback_set): New function.
* lib/gnutls_x509.c (read_key_mem): Support a NULL key.
* lib/gnutls_int.h (internals_st): Add sign_func,
sign_func_userdata.
* lib/auth_dhe.c (gen_dhe_server_kx): Use length of certificate
list to decide wheter to sign, not presence of private key.
* lib/auth_cert.c (_gnutls_gen_cert_client_cert_vrfy): Likewise.
* lib/auth_rsa_export.c (gen_rsa_export_server_kx): Likewise.
* lib/auth_cert.c(_gnutls_get_selected_cert): Don't require that
private key is present.
* lib/auth_rsa_export.c (gen_rsa_export_server_kx): Don't check
key size when key is not present, assume it is > 512 bits.
* lib/x509/privkey.c (gnutls_x509_privkey_sign_hash): New
function.
* tests/Makefile.am: Add x509signself.
Diffstat (limited to 'lib/gnutls_x509.c')
| -rw-r--r-- | lib/gnutls_x509.c | 37 |
1 files changed, 23 insertions, 14 deletions
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index d4b66ac500..352f0028d0 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -702,9 +702,9 @@ _gnutls_x509_raw_privkey_to_gkey (gnutls_privkey * privkey, return 0; } -/* Reads a PEM encoded PKCS-1 RSA private key from memory - * 2002-01-26: Added ability to read DSA keys. - * type indicates the certificate format. +/* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type + * indicates the certificate format. KEY can be NULL, to indicate + * that GnuTLS doesn't know the private key. */ static int read_key_mem (gnutls_certificate_credentials_t res, @@ -724,16 +724,21 @@ read_key_mem (gnutls_certificate_credentials_t res, return GNUTLS_E_MEMORY_ERROR; } - tmp.data = (opaque *) key; - tmp.size = key_size; - - ret = - _gnutls_x509_raw_privkey_to_gkey (&res->pkey[res->ncerts], &tmp, type); - if (ret < 0) + if (key) { - gnutls_assert (); - return ret; + tmp.data = (opaque *) key; + tmp.size = key_size; + + ret = + _gnutls_x509_raw_privkey_to_gkey (&res->pkey[res->ncerts], &tmp, type); + if (ret < 0) + { + gnutls_assert (); + return ret; + } } + else + memset (&res->pkey[res->ncerts], 0, sizeof (gnutls_privkey)); return 0; } @@ -790,7 +795,7 @@ read_key_file (gnutls_certificate_credentials_t res, * gnutls_certificate_set_x509_key_mem - Used to set keys in a gnutls_certificate_credentials_t structure * @res: is an #gnutls_certificate_credentials_t structure. * @cert: contains a certificate list (path) for the specified private key - * @key: is the private key + * @key: is the private key, or %NULL * @type: is PEM or DER * * This function sets a certificate/private key pair in the @@ -811,6 +816,9 @@ read_key_file (gnutls_certificate_credentials_t res, * If the certificate and the private key are given in PEM encoding * then the strings that hold their values must be null terminated. * + * The @key may be %NULL if you are using a sign callback, see + * gnutls_sign_callback_set(). + * **/ int gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t @@ -822,7 +830,8 @@ gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t /* this should be first */ - if ((ret = read_key_mem (res, key->data, key->size, type)) < 0) + if ((ret = read_key_mem (res, key ? key->data : NULL, + key ? key->size : 0, type)) < 0) return ret; if ((ret = read_cert_mem (res, cert->data, cert->size, type)) < 0) @@ -830,7 +839,7 @@ gnutls_certificate_set_x509_key_mem (gnutls_certificate_credentials_t res->ncerts++; - if ((ret = _gnutls_check_key_cert_match (res)) < 0) + if (key && (ret = _gnutls_check_key_cert_match (res)) < 0) { gnutls_assert (); return ret; |