diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-07-21 16:50:52 +0200 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-07-21 16:57:39 +0200 |
| commit | 2835f52e3e347b28d3a50205c8289313345c6d14 (patch) | |
| tree | 07f8b97b888a6345a4bb17cd2fc350cff3a1b752 /lib | |
| parent | 9efd9d49e10ca77eb947cb3e1dfc23f6cf72fa38 (diff) | |
| download | gnutls-2835f52e3e347b28d3a50205c8289313345c6d14.tar.gz | |
Added gnutls_x509_trust_list_add_trust_dir()
This essentially exports the functionality to read from a directory
with trusted certificates.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/includes/gnutls/x509.h | 8 | ||||
| -rw-r--r-- | lib/libgnutls.map | 1 | ||||
| -rw-r--r-- | lib/system.c | 44 | ||||
| -rw-r--r-- | lib/x509/verify-high2.c | 93 |
4 files changed, 105 insertions, 41 deletions
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index 766c0d1b3c..b1de9ef1b1 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -1286,6 +1286,14 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t unsigned int tl_vflags); int +gnutls_x509_trust_list_add_trust_dir(gnutls_x509_trust_list_t list, + const char *ca_dir, + const char *crl_dir, + gnutls_x509_crt_fmt_t type, + unsigned int tl_flags, + unsigned int tl_vflags); + +int gnutls_x509_trust_list_remove_trust_file(gnutls_x509_trust_list_t list, const char *ca_file, diff --git a/lib/libgnutls.map b/lib/libgnutls.map index df80468bf0..5399f6d6d0 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1012,6 +1012,7 @@ GNUTLS_3_1_0 { gnutls_packet_deinit; gnutls_record_recv_packet; gnutls_packet_get; + gnutls_x509_trust_list_add_trust_dir; } GNUTLS_3_0_0; GNUTLS_FIPS140 { diff --git a/lib/system.c b/lib/system.c index 42b4f43808..1c71bf65fb 100644 --- a/lib/system.c +++ b/lib/system.c @@ -508,40 +508,6 @@ static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type) } # endif -static int load_dir_certs(const char *dirname, - gnutls_x509_trust_list_t list, - unsigned int tl_flags, unsigned int tl_vflags, - unsigned type) -{ - DIR *dirp; - struct dirent *d; - int ret; - int r = 0; - char path[GNUTLS_PATH_MAX]; - - dirp = opendir(dirname); - if (dirp != NULL) { - do { - d = readdir(dirp); - if (d != NULL && d->d_type == DT_REG) { - snprintf(path, sizeof(path), "%s/%s", - dirname, d->d_name); - - ret = - gnutls_x509_trust_list_add_trust_file - (list, path, NULL, type, tl_flags, - tl_vflags); - if (ret >= 0) - r += ret; - } - } - while (d != NULL); - closedir(dirp); - } - - return r; -} - /* This works on android 4.x */ @@ -551,9 +517,8 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, { int r = 0, ret; - ret = - load_dir_certs(DEFAULT_TRUST_STORE_DIR, list, tl_flags, - tl_vflags, GNUTLS_X509_FMT_PEM); + ret = gnutls_x509_trust_list_add_trust_dir(list, DEFAULT_TRUST_STORE_DIR, + NULL, GNUTLS_X509_FMT_PEM, tl_flags, tl_vflags); if (ret >= 0) r += ret; @@ -562,9 +527,8 @@ int add_system_trust(gnutls_x509_trust_list_t list, unsigned int tl_flags, if (ret >= 0) r -= ret; - ret = - load_dir_certs("/data/misc/keychain/cacerts-added/", list, - tl_flags, tl_vflags, GNUTLS_X509_FMT_DER); + ret = gnutls_x509_trust_list_add_trust_dir(list, "/data/misc/keychain/cacerts-added/", + NULL, GNUTLS_X509_FMT_DER, tl_flags, tl_vflags); if (ret >= 0) r += ret; # endif diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c index ab55ab7587..ec55f385e3 100644 --- a/lib/x509/verify-high2.c +++ b/lib/x509/verify-high2.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2012 Free Software Foundation, Inc. + * Copyright (C) 2012-2014 Free Software Foundation, Inc. + * Copyright (C) 2014 Nikos Mavrogiannopoulos * * Author: Nikos Mavrogiannopoulos * @@ -33,6 +34,8 @@ #include "verify-high.h" #include "read-file.h" +#include <dirent.h> + /* Convenience functions for verify-high functionality */ @@ -285,6 +288,94 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list, return ret; } +static +int load_dir_certs(const char *dirname, + gnutls_x509_trust_list_t list, + unsigned int tl_flags, unsigned int tl_vflags, + unsigned type, unsigned crl) +{ + DIR *dirp; + struct dirent *d; + int ret; + int r = 0; + char path[GNUTLS_PATH_MAX]; + + dirp = opendir(dirname); + if (dirp != NULL) { + do { + d = readdir(dirp); + if (d != NULL && d->d_type == DT_REG) { + snprintf(path, sizeof(path), "%s/%s", + dirname, d->d_name); + + if (crl != 0) { + ret = + gnutls_x509_trust_list_add_trust_file + (list, NULL, path, type, tl_flags, + tl_vflags); + } else { + ret = + gnutls_x509_trust_list_add_trust_file + (list, path, NULL, type, tl_flags, + tl_vflags); + } + if (ret >= 0) + r += ret; + } + } + while (d != NULL); + closedir(dirp); + } + + return r; +} + +/** + * gnutls_x509_trust_list_add_trust_dir: + * @list: The structure of the list + * @ca_dir: A directory containing the CAs (optional) + * @crl_dir: A directory containing a list of CRLs (optional) + * @type: The format of the certificates + * @tl_flags: GNUTLS_TL_* + * @tl_vflags: gnutls_certificate_verify_flags if flags specifies GNUTLS_TL_VERIFY_CRL + * + * This function will add the given certificate authorities + * to the trusted list. Only directories are accepted by + * this function. + * + * Returns: The number of added elements is returned. + * + * Since: 3.3.6 + **/ +int +gnutls_x509_trust_list_add_trust_dir(gnutls_x509_trust_list_t list, + const char *ca_dir, + const char *crl_dir, + gnutls_x509_crt_fmt_t type, + unsigned int tl_flags, + unsigned int tl_vflags) +{ + int ret = 0; + + if (ca_dir != NULL) { + int r = 0; + r = load_dir_certs(ca_dir, list, tl_flags, tl_vflags, type, 0); + + if (r >= 0) + ret += r; + } + + if (crl_dir) { + int r = 0; + r = load_dir_certs(ca_dir, list, tl_flags, tl_vflags, type, 1); + + if (r >= 0) + ret += r; + } + + return ret; +} + /** * gnutls_x509_trust_list_remove_trust_file: * @list: The structure of the list |