From 7307c1a289a75e164bd5cf000458f2a5a2f133f4 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 20 Sep 2024 18:04:46 +0900 Subject: [PATCH] gtls: Add P12 format support This change adds P12 format support for GnuTLS backend. Closes #14991 --- docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md | 2 +- lib/vtls/gtls.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md b/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md index efde95b163..696344a900 100644 --- a/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md +++ b/docs/libcurl/opts/CURLOPT_SSLCERTTYPE.md @@ -39,7 +39,7 @@ the format of your certificate. Supported formats are "PEM" and "DER", except with Secure Transport or Schannel. OpenSSL (versions 0.9.3 and later), Secure Transport (on iOS 5 or later, or macOS 10.7 or later) and Schannel support "P12" for PKCS#12-encoded -files. +files. GnuTLS supports P12 starting with curl 8.11.0. The application does not have to keep the string around after setting this option. diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c index dc9b102f18..562c5a3b2c 100644 --- a/lib/vtls/gtls.c +++ b/lib/vtls/gtls.c @@ -936,7 +936,19 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf, if(result) return result; } - if(ssl_config->key_passwd) { + if(ssl_config->cert_type && strcasecompare(ssl_config->cert_type, "P12")) { + rc = gnutls_certificate_set_x509_simple_pkcs12_file( + gtls->shared_creds->creds, config->clientcert, GNUTLS_X509_FMT_DER, + ssl_config->key_passwd ? ssl_config->key_passwd : ""); + if(rc != GNUTLS_E_SUCCESS) { + failf(data, + "error reading X.509 potentially-encrypted key or certificate " + "file: %s", + gnutls_strerror(rc)); + return CURLE_SSL_CONNECT_ERROR; + } + } + else if(ssl_config->key_passwd) { const unsigned int supported_key_encryption_algorithms = GNUTLS_PKCS_USE_PKCS12_3DES | GNUTLS_PKCS_USE_PKCS12_ARCFOUR | GNUTLS_PKCS_USE_PKCS12_RC2_40 | GNUTLS_PKCS_USE_PBES2_3DES | -- 2.47.3