]> git.ipfire.org Git - thirdparty/gnutls.git/commitdiff
introduce gnutls_certificate_set_x509_system_trust
authorLudwig Nussel <ludwig.nussel@suse.de>
Tue, 8 May 2012 14:28:25 +0000 (16:28 +0200)
committerNikos Mavrogiannopoulos <nmav@gnutls.org>
Wed, 9 May 2012 14:27:43 +0000 (16:27 +0200)
gnutls_certificate_set_x509_system_trust() imports the trusted root CA's
from a compile time defined location. That way applications don't
need to know.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
configure.ac
doc/Makefile.am
doc/manpages/Makefile.am
lib/gnutls_x509.c
lib/includes/gnutls/gnutls.h.in
lib/libgnutls.map
src/cli.c

index fa2eb8f5f77908f2ee149513e4df099985513d40..507bdbea47fc81eff4077196f8a54f9aea43a0dd 100644 (file)
@@ -285,6 +285,41 @@ AC_PROG_LN_S
 AC_LIBTOOL_WIN32_DLL
 AC_PROG_LIBTOOL
 
+AC_ARG_WITH([default-trust-store-pkcs11],
+  [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
+    [use the given pkcs11 uri as default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" != x; then
+  if test "x$with_p11_kit" = xno; then
+    AC_MSG_ERROR([cannot use pkcs11 store without p11-kit])
+  fi
+  AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_PKCS11],
+    ["$with_default_trust_store_pkcs11"], [use the given pkcs11 uri as default trust store])
+fi
+
+AC_ARG_WITH([default-trust-store-file],
+  [AS_HELP_STRING([--with-default-trust-store-file=FILE],
+    [use the given file default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then
+  # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html
+  for i in \
+    /etc/ssl/certs/ca-certificates.crt \
+    /etc/pki/tls/cert.pem \
+    /usr/local/share/certs/ca-root-nss.crt
+    do
+    if test -e $i; then
+      with_default_trust_store_file="$i"
+      break
+    fi
+  done
+fi
+
+if test "x$with_default_trust_store_file" != x; then
+  AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE],
+    ["$with_default_trust_store_file"], [use the given file default trust store])
+fi
+
 dnl Guile bindings.
 opt_guile_bindings=yes
 AC_MSG_CHECKING([whether building Guile bindings])
@@ -518,6 +553,8 @@ if features are disabled)
   SRP support:      $ac_enable_srp
   PSK support:      $ac_enable_psk
   Anon auth support:$ac_enable_anon
+  Trust store pkcs: $with_default_trust_store_pkcs11
+  Trust store file: $with_default_trust_store_file
 ])
 
 AC_MSG_NOTICE([Optional applications:
index 792897121d6536a57647174301f127e9524f7c1d..f92cd0d8e05b01d79d4a91d169f2fd907c41d337 100644 (file)
@@ -717,6 +717,7 @@ FUNCS += functions/gnutls_certificate_free_crls
 FUNCS += functions/gnutls_certificate_set_dh_params
 FUNCS += functions/gnutls_certificate_set_verify_flags
 FUNCS += functions/gnutls_certificate_set_verify_limits
+FUNCS += functions/gnutls_certificate_set_x509_system_trust
 FUNCS += functions/gnutls_certificate_set_x509_trust_file
 FUNCS += functions/gnutls_certificate_set_x509_trust_mem
 FUNCS += functions/gnutls_certificate_set_x509_crl_file
index 0886d2575c3715725cb583f20b93b8484e0af0a0..04f0eae72759fb8a4991842ceb631fe73af691b2 100644 (file)
@@ -314,6 +314,7 @@ APIMANS += gnutls_certificate_free_crls.3
 APIMANS += gnutls_certificate_set_dh_params.3
 APIMANS += gnutls_certificate_set_verify_flags.3
 APIMANS += gnutls_certificate_set_verify_limits.3
+APIMANS += gnutls_certificate_set_x509_system_trust.3
 APIMANS += gnutls_certificate_set_x509_trust_file.3
 APIMANS += gnutls_certificate_set_x509_trust_mem.3
 APIMANS += gnutls_certificate_set_x509_crl_file.3
index 327539547841bf89e99b5b07fb22ce59a3cce57c..2b28edd6b5d7c773af5b4a81b19bb575a8352f39 100644 (file)
@@ -1588,6 +1588,61 @@ gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t cred,
   return ret;
 }
 
+#ifdef DEFAULT_TRUST_STORE_FILE
+static int
+_gnutls_certificate_set_x509_system_trust_file (gnutls_certificate_credentials_t cred)
+{
+  int ret;
+  gnutls_datum_t cas;
+  size_t size;
+
+  cas.data = (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE, &size);
+  if (cas.data == NULL)
+    {
+      gnutls_assert ();
+      return GNUTLS_E_FILE_ERROR;
+    }
+
+  cas.size = size;
+
+  ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM);
+
+  free (cas.data);
+
+  if (ret < 0)
+    {
+      gnutls_assert ();
+    }
+
+  return ret;
+}
+#endif
+
+/**
+ * gnutls_certificate_set_x509_system_trust:
+ * @cred: is a #gnutls_certificate_credentials_t structure.
+ *
+ * This function adds the system's default trusted CAs in order to
+ * verify client or server certificates.
+ *
+ **/
+int
+gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
+{
+  int ret, r = 0;
+#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
+  ret = read_cas_url (cred, DEFAULT_TRUST_STORE_PKCS11);
+  if (ret > 0)
+    r += ret;
+#endif
+#ifdef DEFAULT_TRUST_STORE_FILE
+  ret = _gnutls_certificate_set_x509_system_trust_file(cred);
+  if (ret > 0)
+    r += ret;
+#endif
+  return r;
+}
+
 static int
 parse_pem_crl_mem (gnutls_x509_trust_list_t tlist, 
                    const char * input_crl, unsigned int input_crl_size)
index 035f63857aa8d8feda0f254986faa48022c7691b..e9d92fd507ee853a51594abaf381e0643eba917e 100644 (file)
@@ -1099,6 +1099,9 @@ gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session);
                                              res, unsigned int max_bits,
                                              unsigned int max_depth);
 
+  int
+    gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred);
+
   int
     gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t
                                             cred, const char *cafile,
index 31938482ed92549081a60c67f106669cbd91a003..1a913ddecfcda0de3e38a6ff0439853a25ebc377 100644 (file)
@@ -788,6 +788,11 @@ GNUTLS_3_0_0 {
        gnutls_session_get_random;
 } GNUTLS_2_12;
 
+GNUTLS_3_0_1 {
+  global:
+       gnutls_certificate_set_x509_system_trust;
+} GNUTLS_3_0_0;
+
 GNUTLS_PRIVATE {
   global:
     # Internal symbols needed by libgnutls-extra:
index 1cdc1df17362f3326181ff2ff9b9768e6bfe7d5c..cea0992cd347405fab24bf03f13e8f27561a8868 100644 (file)
--- a/src/cli.c
+++ b/src/cli.c
@@ -479,9 +479,6 @@ cert_verify_callback (gnutls_session_t session)
   int ssh = ENABLED_OPT(TOFU);
   const char* txt_service;
 
-  if (!x509_cafile && !pgp_keyring)
-    return 0;
-    
   rc = cert_verify(session, hostname);
   if (rc == 0)
     {
@@ -1184,11 +1181,6 @@ const char* rest = NULL;
   
   if (HAVE_OPT(X509CAFILE))
     x509_cafile = OPT_ARG(X509CAFILE);
-  else
-    {
-      if (access(DEFAULT_CA_FILE, R_OK) == 0)
-        x509_cafile = DEFAULT_CA_FILE;
-    }
   
   if (HAVE_OPT(X509CRLFILE))
     x509_crlfile = OPT_ARG(X509CRLFILE);
@@ -1419,15 +1411,20 @@ init_global_tls_stuff (void)
     {
       ret = gnutls_certificate_set_x509_trust_file (xcred,
                                                     x509_cafile, x509ctype);
-      if (ret < 0)
-        {
-          fprintf (stderr, "Error setting the x509 trust file\n");
-        }
-      else
-        {
-          printf ("Processed %d CA certificate(s).\n", ret);
-        }
     }
+  else
+    {
+      ret = gnutls_certificate_set_x509_system_trust (xcred);
+    }
+  if (ret < 0)
+    {
+      fprintf (stderr, "Error setting the x509 trust file\n");
+    }
+  else
+    {
+      printf ("Processed %d CA certificate(s).\n", ret);
+    }
+
   if (x509_crlfile != NULL)
     {
       ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile,