gtls: Add P12 format support

This change adds P12 format support for GnuTLS backend.

Closes #14991

diff --git a/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md b/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md
index efde95b1636869a9efeaccf78b809a6e5025e71b..696344a9000608191729d429032fdda61590b630 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md
+++ b/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md
@@ -39,7 +39,7 @@ the format of your certificate.
 Supported formats are "PEM" and "DER", except with Secure Transport or
 Schannel. OpenSSL (versions 0.9.3 and later), Secure Transport (on iOS 5 or
 later, or macOS 10.7 or later) and Schannel support "P12" for PKCS#12-encoded
-files.
+files. GnuTLS supports P12 starting with curl 8.11.0.
 
 The application does not have to keep the string around after setting this
 option.

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index dc9b102f18cee9fedb9b30085b3ca8c9ffdcf45f..562c5a3b2c98b21828898820c1a515de6a1cf0ee 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -936,7 +936,19 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
       if(result)
         return result;
     }
-    if(ssl_config->key_passwd) {
+    if(ssl_config->cert_type && strcasecompare(ssl_config->cert_type, "P12")) {
+      rc = gnutls_certificate_set_x509_simple_pkcs12_file(
+        gtls->shared_creds->creds, config->clientcert, GNUTLS_X509_FMT_DER,
+        ssl_config->key_passwd ? ssl_config->key_passwd : "");
+      if(rc != GNUTLS_E_SUCCESS) {
+        failf(data,
+              "error reading X.509 potentially-encrypted key or certificate "
+              "file: %s",
+              gnutls_strerror(rc));
+        return CURLE_SSL_CONNECT_ERROR;
+      }
+    }
+    else if(ssl_config->key_passwd) {
       const unsigned int supported_key_encryption_algorithms =
         GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR |
         GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |