From 7235776221b10fb6ab2640dad84b8fde7a21055d Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Tue, 18 May 2010 22:17:34 +0200 Subject: The gnutls-cli --x509cafile can now be a PKCS #11 URL. It can read gnome-keyring's certificates and use them in the trusted list. --- lib/gnutls_x509.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 74 insertions(+), 1 deletion(-) (limited to 'lib/gnutls_x509.c') diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c index 24593d10a4..2241d94bfc 100644 --- a/lib/gnutls_x509.c +++ b/lib/gnutls_x509.c @@ -560,6 +560,68 @@ cleanup: return ret; } +/* Reads a private key from a token. + */ +static int read_cas_url (gnutls_certificate_credentials_t res, const char* url) +{ +int ret; +gnutls_x509_crt_t * xcrt_list = NULL; +gnutls_pkcs11_crt_t *pcrt_list=NULL; +unsigned int pcrt_list_size = 0; + + ret = gnutls_pkcs11_crt_list_import_url( NULL, &pcrt_list_size, url, GNUTLS_PKCS11_CRT_ATTR_TRUSTED); + if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) { + gnutls_assert(); + return ret; + } + + if (pcrt_list_size == 0) { + gnutls_assert(); + return 0; + } + + pcrt_list = gnutls_malloc(sizeof(*pcrt_list)*pcrt_list_size); + if (pcrt_list == NULL) { + gnutls_assert(); + return GNUTLS_E_MEMORY_ERROR; + } + + ret = gnutls_pkcs11_crt_list_import_url( pcrt_list, &pcrt_list_size, url, GNUTLS_PKCS11_CRT_ATTR_TRUSTED); + if (ret < 0) { + gnutls_assert(); + goto cleanup; + } + + xcrt_list = gnutls_malloc(sizeof(*xcrt_list)*pcrt_list_size); + if (xcrt_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + ret = gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size, pcrt_list, 0); + if (xcrt_list == NULL) { + gnutls_assert(); + ret = GNUTLS_E_MEMORY_ERROR; + goto cleanup; + } + + res->x509_ca_list = xcrt_list; + res->x509_ncas = pcrt_list_size; + + gnutls_free(pcrt_list); + + return pcrt_list_size; + +cleanup: + gnutls_free(xcrt_list); + gnutls_free(pcrt_list); + + return ret; + +} + + /* Reads a private key from a token. */ static int read_cert_url (gnutls_certificate_credentials_t res, const char* url) @@ -883,6 +945,9 @@ gnutls_certificate_set_x509_key (gnutls_certificate_credentials_t res, * Currently only PKCS-1 encoded RSA and DSA private keys are accepted by * this function. * + * This function can also accept PKCS #11 URLs. In that case it + * will import the private key and certificate indicated by the urls. + * * Returns: %GNUTLS_E_SUCCESS on success, or an error code. **/ int @@ -1285,6 +1350,9 @@ gnutls_certificate_set_x509_trust (gnutls_certificate_credentials_t res, * the client if a certificate request is sent. This can be disabled * using gnutls_certificate_send_x509_rdn_sequence(). * + * This function can also accept PKCS #11 URLs. In that case it + * will import all certificates that are marked as trusted. + * * Returns: number of certificates processed, or a negative value on * error. **/ @@ -1295,8 +1363,13 @@ gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t res, { int ret, ret2; size_t size; - char *data = read_binary_file (cafile, &size); + char* data; + + if (strncmp(cafile, "pkcs11:", 7)==0) { + return read_cas_url(res, cafile); + } + data = read_binary_file (cafile, &size); if (data == NULL) { gnutls_assert (); -- cgit v1.2.1