AC_LIBTOOL_WIN32_DLL
AC_PROG_LIBTOOL
+AC_ARG_WITH([default-trust-store-pkcs11],
+ [AS_HELP_STRING([--with-default-trust-store-pkcs11=URI],
+ [use the given pkcs11 uri as default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" != x; then
+ if test "x$with_p11_kit" = xno; then
+ AC_MSG_ERROR([cannot use pkcs11 store without p11-kit])
+ fi
+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_PKCS11],
+ ["$with_default_trust_store_pkcs11"], [use the given pkcs11 uri as default trust store])
+fi
+
+AC_ARG_WITH([default-trust-store-file],
+ [AS_HELP_STRING([--with-default-trust-store-file=FILE],
+ [use the given file default trust store])])
+
+if test "x$with_default_trust_store_pkcs11" = x -a "x$with_default_trust_store_file" = x; then
+ # auto detect http://lists.gnu.org/archive/html/help-gnutls/2012-05/msg00004.html
+ for i in \
+ /etc/ssl/certs/ca-certificates.crt \
+ /etc/pki/tls/cert.pem \
+ /usr/local/share/certs/ca-root-nss.crt
+ do
+ if test -e $i; then
+ with_default_trust_store_file="$i"
+ break
+ fi
+ done
+fi
+
+if test "x$with_default_trust_store_file" != x; then
+ AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_FILE],
+ ["$with_default_trust_store_file"], [use the given file default trust store])
+fi
+
dnl Guile bindings.
opt_guile_bindings=yes
AC_MSG_CHECKING([whether building Guile bindings])
SRP support: $ac_enable_srp
PSK support: $ac_enable_psk
Anon auth support:$ac_enable_anon
+ Trust store pkcs: $with_default_trust_store_pkcs11
+ Trust store file: $with_default_trust_store_file
])
AC_MSG_NOTICE([Optional applications:
FUNCS += functions/gnutls_certificate_set_dh_params
FUNCS += functions/gnutls_certificate_set_verify_flags
FUNCS += functions/gnutls_certificate_set_verify_limits
+FUNCS += functions/gnutls_certificate_set_x509_system_trust
FUNCS += functions/gnutls_certificate_set_x509_trust_file
FUNCS += functions/gnutls_certificate_set_x509_trust_mem
FUNCS += functions/gnutls_certificate_set_x509_crl_file
APIMANS += gnutls_certificate_set_dh_params.3
APIMANS += gnutls_certificate_set_verify_flags.3
APIMANS += gnutls_certificate_set_verify_limits.3
+APIMANS += gnutls_certificate_set_x509_system_trust.3
APIMANS += gnutls_certificate_set_x509_trust_file.3
APIMANS += gnutls_certificate_set_x509_trust_mem.3
APIMANS += gnutls_certificate_set_x509_crl_file.3
return ret;
}
+#ifdef DEFAULT_TRUST_STORE_FILE
+static int
+_gnutls_certificate_set_x509_system_trust_file (gnutls_certificate_credentials_t cred)
+{
+ int ret;
+ gnutls_datum_t cas;
+ size_t size;
+
+ cas.data = (void*)read_binary_file (DEFAULT_TRUST_STORE_FILE, &size);
+ if (cas.data == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_FILE_ERROR;
+ }
+
+ cas.size = size;
+
+ ret = gnutls_certificate_set_x509_trust_mem(cred, &cas, GNUTLS_X509_FMT_PEM);
+
+ free (cas.data);
+
+ if (ret < 0)
+ {
+ gnutls_assert ();
+ }
+
+ return ret;
+}
+#endif
+
+/**
+ * gnutls_certificate_set_x509_system_trust:
+ * @cred: is a #gnutls_certificate_credentials_t structure.
+ *
+ * This function adds the system's default trusted CAs in order to
+ * verify client or server certificates.
+ *
+ **/
+int
+gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred)
+{
+ int ret, r = 0;
+#if defined(ENABLE_PKCS11) && defined(DEFAULT_TRUST_STORE_PKCS11)
+ ret = read_cas_url (cred, DEFAULT_TRUST_STORE_PKCS11);
+ if (ret > 0)
+ r += ret;
+#endif
+#ifdef DEFAULT_TRUST_STORE_FILE
+ ret = _gnutls_certificate_set_x509_system_trust_file(cred);
+ if (ret > 0)
+ r += ret;
+#endif
+ return r;
+}
+
static int
parse_pem_crl_mem (gnutls_x509_trust_list_t tlist,
const char * input_crl, unsigned int input_crl_size)
res, unsigned int max_bits,
unsigned int max_depth);
+ int
+ gnutls_certificate_set_x509_system_trust (gnutls_certificate_credentials_t cred);
+
int
gnutls_certificate_set_x509_trust_file (gnutls_certificate_credentials_t
cred, const char *cafile,
gnutls_session_get_random;
} GNUTLS_2_12;
+GNUTLS_3_0_1 {
+ global:
+ gnutls_certificate_set_x509_system_trust;
+} GNUTLS_3_0_0;
+
GNUTLS_PRIVATE {
global:
# Internal symbols needed by libgnutls-extra:
int ssh = ENABLED_OPT(TOFU);
const char* txt_service;
- if (!x509_cafile && !pgp_keyring)
- return 0;
-
rc = cert_verify(session, hostname);
if (rc == 0)
{
if (HAVE_OPT(X509CAFILE))
x509_cafile = OPT_ARG(X509CAFILE);
- else
- {
- if (access(DEFAULT_CA_FILE, R_OK) == 0)
- x509_cafile = DEFAULT_CA_FILE;
- }
if (HAVE_OPT(X509CRLFILE))
x509_crlfile = OPT_ARG(X509CRLFILE);
{
ret = gnutls_certificate_set_x509_trust_file (xcred,
x509_cafile, x509ctype);
- if (ret < 0)
- {
- fprintf (stderr, "Error setting the x509 trust file\n");
- }
- else
- {
- printf ("Processed %d CA certificate(s).\n", ret);
- }
}
+ else
+ {
+ ret = gnutls_certificate_set_x509_system_trust (xcred);
+ }
+ if (ret < 0)
+ {
+ fprintf (stderr, "Error setting the x509 trust file\n");
+ }
+ else
+ {
+ printf ("Processed %d CA certificate(s).\n", ret);
+ }
+
if (x509_crlfile != NULL)
{
ret = gnutls_certificate_set_x509_crl_file (xcred, x509_crlfile,