[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] [PATCH] enable client certificates with wget when linked agai
From: |
Daniel Kahn Gillmor |
Subject: |
[Bug-wget] [PATCH] enable client certificates with wget when linked against GnuTLS |
Date: |
Tue, 03 Apr 2012 15:54:58 -0400 |
User-agent: |
Notmuch/0.12 (http://notmuchmail.org) Emacs/23.4.1 (i486-pc-linux-gnu) |
tags 646983 + patch
forwarded 646983
https://lists.gnu.org/archive/html/bug-wget/2011-10/msg00051.html
thanks
It looks to me like the GnuTLS bindings for wget don't do anything
with client-side certificate credentials. I suspect this is the cause
of the bug Clint ran into.
In debian, wget transitioned from openssl to gnutls between 1.12 and
1.13, which would explain why Clint's "Error in the push function"
happened last Hallowe'en.
The attached diff enables client-certficates when wget is linked against
GnuTLS.
--dkg
diff --git a/src/gnutls.c b/src/gnutls.c
index 40a04ef..1d21cf4 100644
--- a/src/gnutls.c
+++ b/src/gnutls.c
@@ -54,6 +54,20 @@ as that of the covered work. */
# include "w32sock.h"
#endif
+static int
+key_type_to_gnutls_type (enum keyfile_type type)
+{
+ switch (type)
+ {
+ case keyfile_pem:
+ return GNUTLS_X509_FMT_PEM;
+ case keyfile_asn1:
+ return GNUTLS_X509_FMT_DER;
+ default:
+ abort ();
+ }
+}
+
/* Note: some of the functions private to this file have names that
begin with "wgnutls_" (e.g. wgnutls_read) so that they wouldn't be
confused with actual gnutls functions -- such as the gnutls_read
@@ -101,6 +115,30 @@ ssl_init ()
closedir (dir);
}
+ /* Use the private key from the cert file unless otherwise specified. */
+ if (opt.cert_file && !opt.private_key)
+ {
+ opt.private_key = opt.cert_file;
+ opt.private_key_type = opt.cert_type;
+ }
+ /* Use the cert from the private key file unless otherwise specified. */
+ if (!opt.cert_file && opt.private_key)
+ {
+ opt.cert_file = opt.private_key;
+ opt.cert_type = opt.private_key_type;
+ }
+
+ if (opt.cert_file && opt.private_key) {
+ if (opt.private_key_type != opt.cert_type) {
+ /* GnuTLS can't handle this */
+ logprintf (LOG_NOTQUIET, _("ERROR: GnuTLS requires the key and the cert
to be of the same type. Preferring --private-key-type over
--certificate-type.\n"));
+ }
+
+ gnutls_certificate_set_x509_key_file (credentials, opt.cert_file,
+ opt.private_key,
+
key_type_to_gnutls_type(opt.private_key_type));
+ }
+
if (opt.ca_cert)
gnutls_certificate_set_x509_trust_file (credentials, opt.ca_cert,
GNUTLS_X509_FMT_PEM);
pgpdwwf0V7PYL.pgp
Description: PGP signature
- [Bug-wget] [PATCH] enable client certificates with wget when linked against GnuTLS,
Daniel Kahn Gillmor <=