From 529f61388f8c235fc250aa466163396a8965b362 Mon Sep 17 00:00:00 2001
From: Marc Aldorasi <maldorasi@imprivata.com>
Date: Wed, 19 Nov 2025 11:12:31 -0500
Subject: [PATCH] gnutls: implement CURLOPT_CAINFO_BLOB

This adds support for in-memory CA certs using CURLOPT_CAINFO_BLOB to
the GnuTLS backend.

Closes #19612
---
 docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md |  3 ++-
 lib/vtls/gtls.c                          | 27 +++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md b/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md
index 149c9b795f..99bfaf11e6 100644
--- a/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md
+++ b/docs/libcurl/opts/CURLOPT_CAINFO_BLOB.md
@@ -13,6 +13,7 @@ See-also:
   - CURLOPT_SSL_VERIFYPEER (3)
 TLS-backend:
   - OpenSSL
+  - GnuTLS
   - mbedTLS
   - rustls
   - wolfSSL
@@ -80,7 +81,7 @@ int main(void)
 # HISTORY
 
 This option is supported by the mbedTLS (since 7.81.0), Rustls (since 7.82.0),
-wolfSSL (since 8.2.0), OpenSSL and Schannel backends.
+wolfSSL (since 8.2.0), GnuTLS (since 8.18.0), OpenSSL and Schannel backends.
 
 # %AVAILABILITY%
 
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index eba5fb36f0..c0e248642b 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -477,7 +477,31 @@ static CURLcode gtls_populate_creds(struct Curl_cfilter *cf,
 #endif
   }
 
-  if(config->CAfile) {
+  if(config->ca_info_blob) {
+    gnutls_datum_t ca_info_datum;
+    if(config->ca_info_blob->len > (size_t)UINT_MAX) {
+      failf(data, "certificate blob too long: %zu bytes",
+            config->ca_info_blob->len);
+      return CURLE_SSL_CACERT_BADFILE;
+    }
+    ca_info_datum.data = config->ca_info_blob->data;
+    ca_info_datum.size = (unsigned int)config->ca_info_blob->len;
+    rc = gnutls_certificate_set_x509_trust_mem(creds, &ca_info_datum,
+                                               GNUTLS_X509_FMT_PEM);
+    creds_are_empty = creds_are_empty && (rc <= 0);
+    if(rc < 0) {
+      infof(data, "error reading ca cert blob (%s)%s", gnutls_strerror(rc),
+            (creds_are_empty ? "" : ", continuing anyway"));
+      if(creds_are_empty) {
+        ssl_config->certverifyresult = rc;
+        return CURLE_SSL_CACERT_BADFILE;
+      }
+    }
+    else
+      infof(data, "  CA Blob: %d certificates", rc);
+  }
+  /* CURLOPT_CAINFO_BLOB overrides CURLOPT_CAINFO */
+  else if(config->CAfile) {
     /* set the trusted CA cert bundle file */
     gnutls_certificate_set_verify_flags(creds,
                                         GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
@@ -2335,6 +2359,7 @@ const struct Curl_ssl Curl_ssl_gnutls = {
   SSLSUPP_CERTINFO |
   SSLSUPP_PINNEDPUBKEY |
   SSLSUPP_HTTPS_PROXY |
+  SSLSUPP_CAINFO_BLOB |
   SSLSUPP_CIPHER_LIST |
   SSLSUPP_CA_CACHE,
 
-- 
2.47.3