From: Tatsuhiro Tsujikawa Date: Fri, 20 Sep 2024 09:04:46 +0000 (+0900) Subject: gtls: Add P12 format support X-Git-Tag: curl-8_11_0~361 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7307c1a289a75e164bd5cf000458f2a5a2f133f4;p=thirdparty%2Fcurl.git gtls: Add P12 format support This change adds P12 format support for GnuTLS backend. Closes #14991 --- diff --git a/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md b/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md index efde95b163..696344a900 100644 --- a/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md +++ b/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md @@ -39,7 +39,7 @@ the format of your certificate. Supported formats are "PEM" and "DER", except with Secure Transport or Schannel. OpenSSL (versions 0.9.3 and later), Secure Transport (on iOS 5 or later, or macOS 10.7 or later) and Schannel support "P12" for PKCS#12-encoded -files. +files. GnuTLS supports P12 starting with curl 8.11.0. The application does not have to keep the string around after setting this option. diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index dc9b102f18..562c5a3b2c 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -936,7 +936,19 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf, if(result) return result; } - if(ssl_config->key_passwd) { + if(ssl_config->cert_type && strcasecompare(ssl_config->cert_type, "P12")) { + rc = gnutls_certificate_set_x509_simple_pkcs12_file( + gtls->shared_creds->creds, config->clientcert, GNUTLS_X509_FMT_DER, + ssl_config->key_passwd ? ssl_config->key_passwd : ""); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, + "error reading X.509 potentially-encrypted key or certificate " + "file: %s", + gnutls_strerror(rc)); + return CURLE_SSL_CONNECT_ERROR; + } + } + else if(ssl_config->key_passwd) { const unsigned int supported_key_encryption_algorithms = GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR | GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES |