From 3a5fef3dad1b93402265363ebac3c81f9387d2bc Mon Sep 17 00:00:00 2001 From: Dmitry Eremin-Solenikov Date: Sat, 20 May 2017 02:19:17 +0300 Subject: gnutls-serv: allow user to specify multiple x509certile/x509keyfile Instead of adding more and more variants like x509dsakeyfile or x509ecckeyfile (counting eddsa and gost in future), allow user to specify x509certfile/x509keyfile multiple times. Keep the old options as compatibility options. Signed-off-by: Dmitry Eremin-Solenikov Signed-off-by: Nikos Mavrogiannopoulos --- src/serv-args.def | 30 ++++++++++++------- src/serv.c | 87 +++++++++++++++++++------------------------------------ 2 files changed, 50 insertions(+), 67 deletions(-) diff --git a/src/serv-args.def b/src/serv-args.def index 0deac0b674..8900047140 100644 --- a/src/serv-args.def +++ b/src/serv-args.def @@ -178,42 +178,52 @@ flag = { name = x509keyfile; arg-type = string; descrip = "X.509 key file or PKCS #11 URL to use"; - doc = ""; + doc = "Specify the private key file or URI to use; it must correspond to +the certificate specified in --x509certfile. Multiple keys and certificates +can be specified with this option and in that case each occurence of keyfile +must be followed by the corresponding x509certfile or vice-versa."; + stack-arg; + max = NOLIMIT; }; flag = { name = x509certfile; arg-type = string; descrip = "X.509 Certificate file or PKCS #11 URL to use"; - doc = ""; + doc = "Specify the certificate file or URI to use; it must correspond to +the key specified in --x509keyfile. Multiple keys and certificates +can be specified with this option and in that case each occurence of keyfile +must be followed by the corresponding x509certfile or vice-versa."; + stack-arg; + max = NOLIMIT; }; flag = { name = x509dsakeyfile; - arg-type = string; + aliases = x509keyfile; descrip = "Alternative X.509 key file or PKCS #11 URL to use"; - doc = ""; + deprecated; }; flag = { name = x509dsacertfile; - arg-type = string; + aliases = x509certfile; descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use"; - doc = ""; + deprecated; }; flag = { name = x509ecckeyfile; - arg-type = string; + aliases = x509keyfile; descrip = "Alternative X.509 key file or PKCS #11 URL to use"; - doc = ""; + deprecated; }; flag = { name = x509ecccertfile; - arg-type = string; + aliases = x509certfile; descrip = "Alternative X.509 Certificate file or PKCS #11 URL to use"; - doc = ""; + deprecated; }; flag = { diff --git a/src/serv.c b/src/serv.c index 4bf5fd4c9c..2ed184c270 100644 --- a/src/serv.c +++ b/src/serv.c @@ -70,12 +70,10 @@ const char *srp_passwd_conf = NULL; const char *pgp_keyring = NULL; const char *pgp_keyfile = NULL; const char *pgp_certfile = NULL; -const char *x509_keyfile = NULL; -const char *x509_certfile = NULL; -const char *x509_dsakeyfile = NULL; -const char *x509_dsacertfile = NULL; -const char *x509_ecckeyfile = NULL; -const char *x509_ecccertfile = NULL; +const char **x509_keyfile = NULL; +const char **x509_certfile = NULL; +unsigned x509_certfile_size = 0; +unsigned x509_keyfile_size = 0; const char *x509_cafile = NULL; const char *dh_params_file = NULL; const char *x509_crlfile = NULL; @@ -1109,45 +1107,21 @@ int main(int argc, char **argv) } #endif - if (x509_certfile != NULL && x509_keyfile != NULL) { - ret = gnutls_certificate_set_x509_key_file - (cert_cred, x509_certfile, x509_keyfile, x509ctype); - if (ret < 0) { - fprintf(stderr, - "Error reading '%s' or '%s'\n", - x509_certfile, x509_keyfile); - GERR(ret); - exit(1); - } else - cert_set = 1; - } - - if (x509_dsacertfile != NULL && x509_dsakeyfile != NULL) { - ret = gnutls_certificate_set_x509_key_file - (cert_cred, x509_dsacertfile, x509_dsakeyfile, - x509ctype); - if (ret < 0) { - fprintf(stderr, - "Error reading '%s' or '%s'\n", - x509_dsacertfile, x509_dsakeyfile); - GERR(ret); - exit(1); - } else - cert_set = 1; - } + if (x509_certfile_size > 0 && x509_keyfile_size > 0) { + unsigned i; - if (x509_ecccertfile != NULL && x509_ecckeyfile != NULL) { - ret = gnutls_certificate_set_x509_key_file - (cert_cred, x509_ecccertfile, x509_ecckeyfile, - x509ctype); - if (ret < 0) { - fprintf(stderr, - "Error reading '%s' or '%s'\n", - x509_ecccertfile, x509_ecckeyfile); - GERR(ret); - exit(1); - } else - cert_set = 1; + for (i = 0; i < x509_certfile_size; i++) { + ret = gnutls_certificate_set_x509_key_file + (cert_cred, x509_certfile[i], x509_keyfile[i], x509ctype); + if (ret < 0) { + fprintf(stderr, + "Error reading '%s' or '%s'\n", + x509_certfile[i], x509_keyfile[i]); + GERR(ret); + exit(1); + } else + cert_set = 1; + } } if (cert_set == 0) { @@ -1678,21 +1652,20 @@ static void cmd_parser(int argc, char **argv) if (HAVE_OPT(DHPARAMS)) dh_params_file = OPT_ARG(DHPARAMS); - if (HAVE_OPT(X509KEYFILE)) - x509_keyfile = OPT_ARG(X509KEYFILE); - if (HAVE_OPT(X509CERTFILE)) - x509_certfile = OPT_ARG(X509CERTFILE); - - if (HAVE_OPT(X509DSAKEYFILE)) - x509_dsakeyfile = OPT_ARG(X509DSAKEYFILE); - if (HAVE_OPT(X509DSACERTFILE)) - x509_dsacertfile = OPT_ARG(X509DSACERTFILE); + if (HAVE_OPT(X509KEYFILE)) { + x509_keyfile = STACKLST_OPT(X509KEYFILE); + x509_keyfile_size = STACKCT_OPT(X509KEYFILE); + } + if (HAVE_OPT(X509CERTFILE)) { + x509_certfile = STACKLST_OPT(X509CERTFILE); + x509_certfile_size = STACKCT_OPT(X509CERTFILE); + } - if (HAVE_OPT(X509ECCKEYFILE)) - x509_ecckeyfile = OPT_ARG(X509ECCKEYFILE); - if (HAVE_OPT(X509ECCCERTFILE)) - x509_ecccertfile = OPT_ARG(X509ECCCERTFILE); + if (x509_certfile_size != x509_keyfile_size) { + fprintf(stderr, "The certificate number provided (%u) doesn't match the keys (%u)\n", + x509_certfile_size, x509_keyfile_size); + } if (HAVE_OPT(X509CAFILE)) x509_cafile = OPT_ARG(X509CAFILE); -- cgit v1.2.1