[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-51-g0b4f25c
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-51-g0b4f25c |
|
Date: |
Wed, 09 May 2012 16:00:45 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=0b4f25c18755f4c4b984b46f16cfa8e468891469
The branch, master has been updated
via 0b4f25c18755f4c4b984b46f16cfa8e468891469 (commit)
from d5633875724fe383adb4e994fc72bd7c64acb197 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0b4f25c18755f4c4b984b46f16cfa8e468891469
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Wed May 9 17:54:34 2012 +0200
Added convenience functions to load a trust list from a file or a memory
buffer.
New functions:
gnutls_certificate_set_x509_system_trust,
gnutls_pkcs11_obj_list_import_url2,
gnutls_x509_trust_list_add_system_trust,
gnutls_x509_trust_list_add_trust_file,
gnutls_x509_trust_list_add_trust_mem.
-----------------------------------------------------------------------
Summary of changes:
NEWS | 9 ++-
doc/cha-cert-auth.texi | 13 ++-
doc/cha-cert-auth2.texi | 1 +
doc/examples/ex-client-dtls.c | 3 +-
doc/examples/ex-client-resume.c | 3 +-
doc/examples/ex-client-srp.c | 5 +-
doc/examples/ex-client-x509.c | 9 +-
doc/manpages/Makefile.am | 5 +-
lib/gnutls_x509.c | 4 +
lib/includes/gnutls/pkcs11.h | 8 ++
lib/includes/gnutls/x509.h | 21 +++-
lib/libgnutls.map | 6 +-
lib/pkcs11.c | 57 +++++++++
lib/x509/Makefile.am | 1 +
lib/x509/verify-high2.c | 252 +++++++++++++++++++++++++++++++++++++++
lib/x509/x509.c | 2 +-
src/cli.c | 2 -
17 files changed, 380 insertions(+), 21 deletions(-)
create mode 100644 lib/x509/verify-high2.c
diff --git a/NEWS b/NEWS
index de2a428..f4f0964 100644
--- a/NEWS
+++ b/NEWS
@@ -8,11 +8,18 @@ See the end for copying conditions.
is assumed to be a file that stores the pin. Based on patch
by David Smith.
+** libgnutls: introduce gnutls_certificate_set_x509_system_trust
+which imports the trusted root CA's from a compile time defined location.
+
** libgnutlsxx: Added session::set_transport_vec_push_function. Patch
by Alexandre Bique.
** API and ABI modifications:
-No changes since last version.
+gnutls_certificate_set_x509_system_trust: Added
+gnutls_pkcs11_obj_list_import_url2: Added
+gnutls_x509_trust_list_add_system_trust: Added
+gnutls_x509_trust_list_add_trust_file: Added
+gnutls_x509_trust_list_add_trust_mem: Added
* Version 3.0.19 (unreleased)
diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi
index cb79a7d..1ee95bf 100644
--- a/doc/cha-cert-auth.texi
+++ b/doc/cha-cert-auth.texi
@@ -236,6 +236,10 @@ provided.
@showfuncdesc{gnutls_x509_trust_list_verify_crt}
@showfuncdesc{gnutls_x509_trust_list_verify_named_crt}
address@hidden
address@hidden
address@hidden
+
The verification function will verify a given certificate chain against a list
of certificate
authorities and certificate revocation lists, and output
a bit-wise OR of elements of the @address@hidden@-status_t}
@@ -253,10 +257,11 @@ This purpose is served by the functions
@funcref{gnutls_x509_trust_list_add_name
@cindex verifying certificate paths
@tindex gnutls_certificate_verify_flags
-When operating in the context of a TLS session, if the trusted certificate
-authority list has been set via the
address@hidden and @funcref{gnutls_certificate_set_x509_crl_file},
-it is not required to setup a trusted list as above.
+When operating in the context of a TLS session, the trusted certificate
+authority list may also be set using:
address@hidden,gnutls_certificate_set_x509_crl_file,gnutls_certificate_set_x509_system_trust}
+
+Then it is not required to setup a trusted list as above.
The function @funcref{gnutls_certificate_verify_peers2}
may then be used to verify the peer's certificate chain.
diff --git a/doc/cha-cert-auth2.texi b/doc/cha-cert-auth2.texi
index 6838bf5..9ebb74a 100644
--- a/doc/cha-cert-auth2.texi
+++ b/doc/cha-cert-auth2.texi
@@ -523,6 +523,7 @@ the following functions can be used to load PKCS #11 key and
certificates by specifying a PKCS #11 URL instead of a filename.
@showfuncB{gnutls_certificate_set_x509_trust_file,gnutls_certificate_set_x509_key_file}
address@hidden
@include invoke-p11tool.texi
diff --git a/doc/examples/ex-client-dtls.c b/doc/examples/ex-client-dtls.c
index 21e7244..377c42e 100644
--- a/doc/examples/ex-client-dtls.c
+++ b/doc/examples/ex-client-dtls.c
@@ -18,7 +18,6 @@
*/
#define MAX_BUF 1024
-#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
#define MSG "GET / HTTP/1.0\r\n\r\n"
extern int udp_connect (void);
@@ -40,7 +39,7 @@ main (void)
gnutls_certificate_allocate_credentials (&xcred);
/* sets the trusted cas file */
- gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
+ gnutls_certificate_set_x509_system_trust(xcred);
gnutls_certificate_set_verify_function (xcred, verify_certificate_callback);
/* Initialize TLS session */
diff --git a/doc/examples/ex-client-resume.c b/doc/examples/ex-client-resume.c
index c094950..cfa3aad 100644
--- a/doc/examples/ex-client-resume.c
+++ b/doc/examples/ex-client-resume.c
@@ -16,7 +16,6 @@ extern int tcp_connect (void);
extern void tcp_close (int sd);
#define MAX_BUF 1024
-#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
#define MSG "GET / HTTP/1.0\r\n\r\n"
int
@@ -39,7 +38,7 @@ main (void)
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
- gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
+ gnutls_certificate_set_x509_system_trust(xcred);
for (t = 0; t < 2; t++)
{ /* connect 2 times to the server */
diff --git a/doc/examples/ex-client-srp.c b/doc/examples/ex-client-srp.c
index 7784075..172c152 100644
--- a/doc/examples/ex-client-srp.c
+++ b/doc/examples/ex-client-srp.c
@@ -18,7 +18,6 @@ extern void tcp_close (int sd);
#define MAX_BUF 1024
#define USERNAME "user"
#define PASSWORD "pass"
-#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
#define MSG "GET / HTTP/1.0\r\n\r\n"
int
@@ -36,8 +35,8 @@ main (void)
gnutls_srp_allocate_client_credentials (&srp_cred);
gnutls_certificate_allocate_credentials (&cert_cred);
- gnutls_certificate_set_x509_trust_file (cert_cred, CAFILE,
- GNUTLS_X509_FMT_PEM);
+ gnutls_certificate_set_x509_system_trust(cert_cred);
+
gnutls_srp_set_client_credentials (srp_cred, USERNAME, PASSWORD);
/* connects to server
diff --git a/doc/examples/ex-client-x509.c b/doc/examples/ex-client-x509.c
index ab46118..e442886 100644
--- a/doc/examples/ex-client-x509.c
+++ b/doc/examples/ex-client-x509.c
@@ -17,7 +17,7 @@
*/
#define MAX_BUF 1024
-#define CAFILE "/etc/ssl/certs/ca-certificates.crt"
+/* #define CAFILE "/etc/ssl/certs/ca-certificates.crt" */
#define MSG "GET / HTTP/1.0\r\n\r\n"
extern int tcp_connect (void);
@@ -37,9 +37,12 @@ int main (void)
/* X509 stuff */
gnutls_certificate_allocate_credentials (&xcred);
- /* sets the trusted cas file
+ /* sets the trusted cas to be the system ones
*/
- gnutls_certificate_set_x509_trust_file (xcred, CAFILE, GNUTLS_X509_FMT_PEM);
+ gnutls_certificate_set_x509_system_trust(xcred);
+ /* gnutls_certificate_set_x509_trust_file (xcred, CAFILE,
GNUTLS_X509_FMT_PEM);
+ */
+
gnutls_certificate_set_verify_function (xcred, _verify_certificate_callback);
/* If client holds a certificate it can be set using the following:
diff --git a/doc/manpages/Makefile.am b/doc/manpages/Makefile.am
index 04f0eae..137ebd8 100644
--- a/doc/manpages/Makefile.am
+++ b/doc/manpages/Makefile.am
@@ -327,7 +327,6 @@ APIMANS += gnutls_certificate_set_x509_simple_pkcs12_mem.3
APIMANS += gnutls_certificate_set_x509_key.3
APIMANS += gnutls_certificate_set_x509_trust.3
APIMANS += gnutls_certificate_set_x509_crl.3
-APIMANS += gnutls_certificate_get_openpgp_keyring.3
APIMANS += gnutls_global_init.3
APIMANS += gnutls_global_deinit.3
APIMANS += gnutls_global_set_mutex.3
@@ -547,6 +546,7 @@ APIMANS += gnutls_pkcs11_token_get_url.3
APIMANS += gnutls_pkcs11_token_get_info.3
APIMANS += gnutls_pkcs11_token_get_flags.3
APIMANS += gnutls_pkcs11_obj_list_import_url.3
+APIMANS += gnutls_pkcs11_obj_list_import_url2.3
APIMANS += gnutls_x509_crt_import_pkcs11.3
APIMANS += gnutls_x509_crt_import_pkcs11_url.3
APIMANS += gnutls_pkcs11_obj_get_type.3
@@ -789,6 +789,9 @@ APIMANS += gnutls_x509_trust_list_add_named_crt.3
APIMANS += gnutls_x509_trust_list_add_crls.3
APIMANS += gnutls_x509_trust_list_verify_named_crt.3
APIMANS += gnutls_x509_trust_list_verify_crt.3
+APIMANS += gnutls_x509_trust_list_add_trust_mem.3
+APIMANS += gnutls_x509_trust_list_add_trust_file.3
+APIMANS += gnutls_x509_trust_list_add_system_trust.3
dist_man_MANS += $(APIMANS)
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index 2b28edd..b220e08 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -1625,6 +1625,10 @@ _gnutls_certificate_set_x509_system_trust_file
(gnutls_certificate_credentials_t
* This function adds the system's default trusted CAs in order to
* verify client or server certificates.
*
+ * Returns: the number of certificates processed or a negative error code
+ * on error.
+ *
+ * Since: 3.1
**/
int
gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t
cred)
diff --git a/lib/includes/gnutls/pkcs11.h b/lib/includes/gnutls/pkcs11.h
index 1382954..eb95f4c 100644
--- a/lib/includes/gnutls/pkcs11.h
+++ b/lib/includes/gnutls/pkcs11.h
@@ -314,6 +314,14 @@ int gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t
* p_list,
unsigned int flags
/* GNUTLS_PKCS11_OBJ_FLAG_* */ );
+int
+gnutls_pkcs11_obj_list_import_url2 (gnutls_pkcs11_obj_t ** p_list,
+ unsigned int *n_list,
+ const char *url,
+ gnutls_pkcs11_obj_attr_t attrs,
+ unsigned int flags
+ /* GNUTLS_PKCS11_OBJ_FLAG_* */ );
+
int gnutls_x509_crt_import_pkcs11 (gnutls_x509_crt_t crt,
gnutls_pkcs11_obj_t pkcs11_crt);
int gnutls_x509_crt_import_pkcs11_url (gnutls_x509_crt_t crt, const char *url,
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 859966b..a772bd3 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -974,7 +974,26 @@ extern "C"
unsigned int *verify,
gnutls_verify_output_function func);
-
+ /* trust list convenience functions */
+int
+gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list,
+ const gnutls_datum_t * cas,
+ const gnutls_datum_t * crls,
+ gnutls_x509_crt_fmt_t type,
+ unsigned int tl_flags,
+ unsigned int tl_vflags);
+
+int
+gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
+ const char* ca_file,
+ const char* crl_file,
+ gnutls_x509_crt_fmt_t type,
+ unsigned int tl_flags,
+ unsigned int tl_vflags);
+
+int
+gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
+ unsigned int tl_flags, unsigned int
tl_vflags);
#ifdef __cplusplus
}
#endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 1a913dd..c7385ad 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -788,9 +788,13 @@ GNUTLS_3_0_0 {
gnutls_session_get_random;
} GNUTLS_2_12;
-GNUTLS_3_0_1 {
+GNUTLS_3_1_0 {
global:
gnutls_certificate_set_x509_system_trust;
+ gnutls_pkcs11_obj_list_import_url2;
+ gnutls_x509_trust_list_add_system_trust;
+ gnutls_x509_trust_list_add_trust_file;
+ gnutls_x509_trust_list_add_trust_mem;
} GNUTLS_3_0_0;
GNUTLS_PRIVATE {
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 6cc40f3..49b955f 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -2544,6 +2544,63 @@ gnutls_pkcs11_obj_list_import_url (gnutls_pkcs11_obj_t *
p_list,
}
/**
+ * gnutls_pkcs11_obj_list_import_url2:
+ * @p_list: An uninitialized object list (may be NULL)
+ * @n_list: It will contain the size of the list.
+ * @url: A PKCS 11 url identifying a set of objects
+ * @attrs: Attributes of type #gnutls_pkcs11_obj_attr_t that can be used to
limit output
+ * @flags: One of GNUTLS_PKCS11_OBJ_* flags
+ *
+ * This function will initialize and set values to an object list
+ * by using all objects identified by the PKCS 11 URL. The output
+ * is stored in @p_list, which will be initialized.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS (0) is returned, otherwise a
+ * negative error value.
+ *
+ * Since: 3.1
+ **/
+int
+gnutls_pkcs11_obj_list_import_url2 (gnutls_pkcs11_obj_t ** p_list,
+ unsigned int *n_list,
+ const char *url,
+ gnutls_pkcs11_obj_attr_t attrs,
+ unsigned int flags)
+{
+unsigned int init = 1024;
+int ret;
+
+ *p_list = gnutls_malloc(sizeof(gnutls_pkcs11_obj_t)*init);
+ if (*p_list == NULL)
+ {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ ret = gnutls_pkcs11_obj_list_import_url( *p_list, &init, url, attrs, flags);
+ if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
+ {
+ *p_list = gnutls_realloc_fast(*p_list, sizeof(gnutls_pkcs11_obj_t)*init);
+ if (*p_list == NULL)
+ return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
+
+ ret = gnutls_pkcs11_obj_list_import_url( *p_list, &init, url, attrs,
flags);
+ }
+
+ if (ret < 0)
+ {
+ gnutls_assert();
+ gnutls_free(*p_list);
+ *p_list = NULL;
+ return ret;
+ }
+
+ *n_list = init;
+ return 0;
+
+}
+
+/**
* gnutls_x509_crt_import_pkcs11_url:
* @crt: A certificate of type #gnutls_x509_crt_t
* @url: A PKCS 11 url
diff --git a/lib/x509/Makefile.am b/lib/x509/Makefile.am
index d16dfc7..dff0117 100644
--- a/lib/x509/Makefile.am
+++ b/lib/x509/Makefile.am
@@ -56,6 +56,7 @@ libgnutls_x509_la_SOURCES = \
x509_int.h \
x509_write.c \
verify-high.c \
+ verify-high2.c \
verify-high.h
if ENABLE_OCSP
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
new file mode 100644
index 0000000..d6c9991
--- /dev/null
+++ b/lib/x509/verify-high2.c
@@ -0,0 +1,252 @@
+/*
+ * Copyright (C) 2012 Free Software Foundation, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * The GnuTLS is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public License
+ * as published by the Free Software Foundation; either version 3 of
+ * the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+#include <gnutls_int.h>
+#include <gnutls_errors.h>
+#include <libtasn1.h>
+#include <gnutls_global.h>
+#include <gnutls_num.h>
+#include <gnutls_sig.h>
+#include <gnutls_str.h>
+#include <gnutls_datum.h>
+#include <hash.h>
+#include "x509_int.h"
+#include <common.h>
+#include "verify-high.h"
+#include "read-file.h"
+
+/* Convenience functions for verify-high functionality
+ */
+
+/**
+ * gnutls_x509_trust_list_add_trust_mem:
+ * @list: The structure of the list
+ * @ca_file: A file containing a list of CAs (optional)
+ * @crl_file: A file containing a list of CRLs (optional)
+ * @type: The format of the certificates
+ * @tl_flags: GNUTLS_TL_*
+ * @tl_vflags: gnutls_certificate_verify_flags if flags specifies
GNUTLS_TL_VERIFY_CRL
+ *
+ * This function will add the given certificate authorities
+ * to the trusted list.
+ *
+ * Returns: The number of added elements is returned.
+ *
+ * Since: 3.1
+ **/
+int
+gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list,
+ const gnutls_datum_t * cas,
+ const gnutls_datum_t * crls,
+ gnutls_x509_crt_fmt_t type,
+ unsigned int tl_flags,
+ unsigned int tl_vflags)
+{
+ int ret;
+ gnutls_x509_crt_t *x509_ca_list = NULL;
+ gnutls_x509_crl_t *x509_crl_list = NULL;
+ unsigned int x509_ncas, x509_ncrls;
+ unsigned int r = 0;
+
+ if (cas != NULL && cas->data != NULL)
+ {
+ ret = gnutls_x509_crt_list_import2( &x509_ca_list, &x509_ncas, cas,
GNUTLS_X509_FMT_PEM, 0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, x509_ncas,
tl_flags);
+ gnutls_free(x509_ca_list);
+
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ else
+ r += ret;
+ }
+
+ if (crls != NULL && crls->data != NULL)
+ {
+ ret = gnutls_x509_crl_list_import2( &x509_crl_list, &x509_ncrls, crls,
GNUTLS_X509_FMT_PEM, 0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ ret = gnutls_x509_trust_list_add_crls(list, x509_crl_list, x509_ncrls,
tl_flags, tl_vflags);
+ gnutls_free(x509_crl_list);
+
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ else
+ r += ret;
+ }
+
+ return r;
+}
+
+#ifdef ENABLE_PKCS11
+static
+int import_pkcs11_url(gnutls_x509_trust_list_t list, const char* ca_file,
unsigned int flags)
+{
+gnutls_x509_crt_t *xcrt_list = NULL;
+gnutls_pkcs11_obj_t *pcrt_list = NULL;
+unsigned int pcrt_list_size = 0, i;
+int ret;
+
+ ret = gnutls_pkcs11_obj_list_import_url2(&pcrt_list, &pcrt_list_size,
ca_file,
+ GNUTLS_PKCS11_OBJ_ATTR_CRT_TRUSTED,
0);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+
+ if (pcrt_list_size == 0)
+ {
+ ret = 0;
+ goto cleanup;
+ }
+
+ xcrt_list = gnutls_malloc(sizeof(gnutls_x509_crt_t)*pcrt_list_size);
+ if (xcrt_list == NULL)
+ {
+ ret = GNUTLS_E_MEMORY_ERROR;
+ goto cleanup;
+ }
+
+ ret = gnutls_x509_crt_list_import_pkcs11( xcrt_list, pcrt_list_size,
pcrt_list, 0);
+ if (ret < 0)
+ {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ ret = gnutls_x509_trust_list_add_cas(list, xcrt_list, pcrt_list_size, flags);
+
+cleanup:
+ for (i=0;i<pcrt_list_size;i++)
+ gnutls_pkcs11_obj_deinit(pcrt_list[i]);
+ gnutls_free(pcrt_list);
+ gnutls_free(xcrt_list);
+
+ return ret;
+}
+
+#endif
+
+
+/**
+ * gnutls_x509_trust_list_add_trust_file:
+ * @list: The structure of the list
+ * @ca_file: A file containing a list of CAs (optional)
+ * @crl_file: A file containing a list of CRLs (optional)
+ * @type: The format of the certificates
+ * @tl_flags: GNUTLS_TL_*
+ * @tl_vflags: gnutls_certificate_verify_flags if flags specifies
GNUTLS_TL_VERIFY_CRL
+ *
+ * This function will add the given certificate authorities
+ * to the trusted list. pkcs11 URLs are also accepted, instead
+ * of files, by this function.
+ *
+ * Returns: The number of added elements is returned.
+ *
+ * Since: 3.1
+ **/
+int
+gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
+ const char* ca_file,
+ const char* crl_file,
+ gnutls_x509_crt_fmt_t type,
+ unsigned int tl_flags,
+ unsigned int tl_vflags)
+{
+ gnutls_datum_t cas = { NULL, 0 };
+ gnutls_datum_t crls = { NULL, 0 };
+ size_t size;
+ int ret;
+
+#ifdef ENABLE_PKCS11
+ if (strncmp (ca_file, "pkcs11:", 7) == 0)
+ {
+ ret = import_pkcs11_url(list, ca_file, tl_flags);
+ if (ret < 0)
+ return gnutls_assert_val(ret);
+ }
+ else
+#endif
+ {
+ cas.data = (void*)read_binary_file (ca_file, &size);
+ if (cas.data == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_FILE_ERROR;
+ }
+ cas.size = size;
+ }
+
+ if (crl_file)
+ {
+ crls.data = (void*)read_binary_file (crl_file, &size);
+ if (crls.data == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_FILE_ERROR;
+ }
+ crls.size = size;
+ }
+
+ ret = gnutls_x509_trust_list_add_trust_mem(list, &cas, &crls, type,
tl_flags, tl_vflags);
+ free(crls.data);
+ free(cas.data);
+
+ return ret;
+}
+
+/**
+ * gnutls_x509_trust_list_add_system_trust:
+ * @list: The structure of the list
+ * @tl_flags: GNUTLS_TL_*
+ * @tl_vflags: gnutls_certificate_verify_flags if flags specifies
GNUTLS_TL_VERIFY_CRL
+ *
+ * This function adds the system's default trusted certificate
+ * authorities to the trusted list.
+ *
+ * Returns: The number of added elements is returned.
+ *
+ * Since: 3.1
+ **/
+int
+gnutls_x509_trust_list_add_system_trust(gnutls_x509_trust_list_t list,
+ unsigned int tl_flags, unsigned int
tl_vflags)
+{
+ int ret, r = 0;
+
+#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
+ ret = gnutls_x509_trust_list_add_trust_file(list,
DEFAULT_TRUST_STORE_PKCS11, NULL,
+ GNUTLS_X509_FMT_DER, tl_flags,
tl_vflags);
+ if (ret > 0)
+ r += ret;
+#endif
+
+#ifdef DEFAULT_TRUST_STORE_FILE
+ ret = gnutls_x509_trust_list_add_trust_file(list, DEFAULT_TRUST_STORE_FILE,
NULL,
+ GNUTLS_X509_FMT_PEM, tl_flags,
tl_vflags);
+ if (ret > 0)
+ r += ret;
+#endif
+
+ return r;
+}
diff --git a/lib/x509/x509.c b/lib/x509/x509.c
index d0de3cb..e69bab6 100644
--- a/lib/x509/x509.c
+++ b/lib/x509/x509.c
@@ -3117,7 +3117,7 @@ cleanup:
*
* This function will convert the given PEM encoded certificate list
* to the native gnutls_x509_crt_t format. The output will be stored
- * in @certs. They will be automatically initialized.
+ * in @certs which will be initialized.
*
* If the Certificate is PEM encoded it should have a header of "X509
* CERTIFICATE", or "CERTIFICATE".
diff --git a/src/cli.c b/src/cli.c
index cea0992..03848ca 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -73,8 +73,6 @@ int crlf;
unsigned int verbose = 0;
int print_cert;
-#define DEFAULT_CA_FILE "/etc/ssl/certs/ca-certificates.crt"
-
const char *srp_passwd = NULL;
const char *srp_username = NULL;
const char *pgp_keyfile = NULL;
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, master, updated. gnutls_3_0_18-51-g0b4f25c,
Nikos Mavrogiannopoulos <=