gnutls: implement CURLOPT_CAINFO_BLOB

author Marc Aldorasi <maldorasi@imprivata.com>

Wed, 19 Nov 2025 16:12:31 +0000 (11:12 -0500)

committer Daniel Stenberg <daniel@haxx.se>

Fri, 21 Nov 2025 07:55:44 +0000 (08:55 +0100)
author Marc Aldorasi <maldorasi@imprivata.com>
Wed, 19 Nov 2025 16:12:31 +0000 (11:12 -0500)
committer Daniel Stenberg <daniel@haxx.se>
Fri, 21 Nov 2025 07:55:44 +0000 (08:55 +0100)
diff --git a/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md b/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md

index 149c9b795f6159f20d3f9615e1b5ddef7903f127..99bfaf11e673bd7dfeab7542ca5a0227e76feba1 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md
+++ b/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md
@@ -13,6 +13,7 @@ See-also:
    - CURLOPT_SSL_VERIFYPEER (3)
  TLS-backend:
    - OpenSSL
+  - GnuTLS
    - mbedTLS
    - rustls
    - wolfSSL
@@ -80,7 +81,7 @@ int main(void)
  # HISTORY
  
  This option is supported by the mbedTLS (since 7.81.0), Rustls (since 7.82.0),
-wolfSSL (since 8.2.0), OpenSSL and Schannel backends.
+wolfSSL (since 8.2.0), GnuTLS (since 8.18.0), OpenSSL and Schannel backends.
  
  # %AVAILABILITY%
  
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c

index eba5fb36f09f8e269bda1751d8816217f5e78390..c0e248642b259a9b2341e88ca4cfaa1dd7885766 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -477,7 +477,31 @@ static CURLcode gtls_populate_creds(struct Curl_cfilter *cf,
  #endif
    }
  
-  if(config->CAfile) {
+  if(config->ca_info_blob) {
+    gnutls_datum_t ca_info_datum;
+    if(config->ca_info_blob->len > (size_t)UINT_MAX) {
+      failf(data, "certificate blob too long: %zu bytes",
+            config->ca_info_blob->len);
+      return CURLE_SSL_CACERT_BADFILE;
+    }
+    ca_info_datum.data = config->ca_info_blob->data;
+    ca_info_datum.size = (unsigned int)config->ca_info_blob->len;
+    rc = gnutls_certificate_set_x509_trust_mem(creds, &ca_info_datum,
+                                               GNUTLS_X509_FMT_PEM);
+    creds_are_empty = creds_are_empty && (rc <= 0);
+    if(rc < 0) {
+      infof(data, "error reading ca cert blob (%s)%s", gnutls_strerror(rc),
+            (creds_are_empty ? "" : ", continuing anyway"));
+      if(creds_are_empty) {
+        ssl_config->certverifyresult = rc;
+        return CURLE_SSL_CACERT_BADFILE;
+      }
+    }
+    else
+      infof(data, "  CA Blob: %d certificates", rc);
+  }
+  /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
+  else if(config->CAfile) {
      /* set the trusted CA cert bundle file */
      gnutls_certificate_set_verify_flags(creds,
                                          GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
@@ -2335,6 +2359,7 @@ const struct Curl_ssl Curl_ssl_gnutls = {
    SSLSUPP_CERTINFO |
    SSLSUPP_PINNEDPUBKEY |
    SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CAINFO_BLOB |
    SSLSUPP_CIPHER_LIST |
    SSLSUPP_CA_CACHE,
author	Marc Aldorasi <maldorasi@imprivata.com>
	Wed, 19 Nov 2025 16:12:31 +0000 (11:12 -0500)
committer	Daniel Stenberg <daniel@haxx.se>
	Fri, 21 Nov 2025 07:55:44 +0000 (08:55 +0100)
docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md		patch \| blob \| blame \| history
lib/vtls/gtls.c		patch \| blob \| blame \| history