deprecated;
};
+flag = {
+ name = rawpkkeyfile;
+ arg-type = string;
+ descrip = "Private key file (PKCS #8 or PKCS #12) or PKCS #11 URL to use";
+ doc = "Specify the private key file or URI to use; it must correspond to
+the raw public-key specified in --rawpkfile. Multiple key pairs
+can be specified with this option and in that case each occurrence of keyfile
+must be followed by the corresponding rawpkfile or vice-versa.
+
+In order to instruct the application to negotiate raw public keys one
+must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*
+and CTYPE-SRV-* flags).
+
+Check the GnuTLS manual on section ``Priority strings'' for more
+information on how to set certificate types.";
+ stack-arg;
+ max = NOLIMIT;
+};
+
+flag = {
+ name = rawpkfile;
+ arg-type = string;
+ descrip = "Raw public-key file to use";
+ doc = "Specify the raw public-key file to use; it must correspond to
+the private key specified in --rawpkkeyfile. Multiple key pairs
+can be specified with this option and in that case each occurrence of keyfile
+must be followed by the corresponding rawpkfile or vice-versa.
+
+In order to instruct the application to negotiate raw public keys one
+must enable the respective certificate types via the priority strings (i.e. CTYPE-CLI-*
+and CTYPE-SRV-* flags).
+
+Check the GnuTLS manual on section ``Priority strings'' for more
+information on how to set certificate types.";
+ stack-arg;
+ max = NOLIMIT;
+ flags-must = rawpkkeyfile;
+};
+
flag = {
name = srppasswd;
arg-type = file;
--pskpasswd psk-passwd.txt
@end example
+If you want a server with support for raw public-keys we can also add these
+credentials. Note however that there is no identity information linked to these
+keys as is the case with regular x509 certificates. Authentication must be done
+via different means. Also we need to explicitly enable raw public-key certificates
+via the priority strings.
+
+@example
+gnutls-serv --http --priority NORMAL:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \
+ --rawpkfile srv.rawpk.pem \
+ --rawpkkeyfile srv.key.pem
+@end example
+
+
Finally, we start the server with all the earlier parameters and you
get this command:
@example
-gnutls-serv --http --priority NORMAL:+PSK:+SRP \
+gnutls-serv --http --priority NORMAL:+PSK:+SRP:+CTYPE-CLI-RAWPK:+CTYPE-SRV-RAWPK \
--x509cafile x509-ca.pem \
--x509keyfile x509-server-key.pem \
--x509certfile x509-server.pem \
--x509certfile x509-server-ecc.pem \
--srppasswdconf srp-tpasswd.conf \
--srppasswd srp-passwd.txt \
- --pskpasswd psk-passwd.txt
+ --pskpasswd psk-passwd.txt \
+ --rawpkfile srv.rawpk.pem \
+ --rawpkkeyfile srv.key.pem
@end example
_EOF_;
};
const char *dh_params_file = NULL;
const char *x509_crlfile = NULL;
const char *priorities = NULL;
+const char **rawpk_keyfile = NULL;
+const char **rawpk_file = NULL;
+unsigned rawpk_keyfile_size = 0;
+unsigned rawpk_file_size = 0;
const char **ocsp_responses = NULL;
unsigned ocsp_responses_size = 0;
const char *err;
gnutls_datum_t alpn[MAX_ALPN_PROTOCOLS];
unsigned alpn_size;
- unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH;
+ unsigned flags = GNUTLS_SERVER | GNUTLS_POST_HANDSHAKE_AUTH | GNUTLS_ENABLE_RAWPK;
if (dtls)
flags |= GNUTLS_DATAGRAM;
return http_buffer;
}
- if (gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
+ if (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT) == GNUTLS_CRT_X509) {
const gnutls_datum_t *cert_list;
unsigned int cert_list_size = 0;
}
if (gnutls_auth_get_type(session) == GNUTLS_CRD_CERTIFICATE &&
- gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) {
+ gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT) != GNUTLS_CRT_X509) {
tmp =
gnutls_certificate_type_get_name
- (gnutls_certificate_type_get(session));
+ (gnutls_certificate_type_get2(session, GNUTLS_CTYPE_CLIENT));
if (tmp == NULL)
tmp = str_unknown;
snprintf(tmp_buffer, tmp_buffer_size,
exit(1);
}
+ /* X509 credentials */
if (x509_cafile != NULL) {
if ((ret = gnutls_certificate_set_x509_trust_file
(cert_cred, x509_cafile, x509ctype)) < 0) {
cert_set = 1;
}
}
+
+ /* Raw public-key credentials */
+ if (rawpk_file_size > 0 && rawpk_keyfile_size > 0) {
+ for (i = 0; i < rawpk_keyfile_size; i++) {
+ ret = gnutls_certificate_set_rawpk_key_file(cert_cred, rawpk_file[i],
+ rawpk_keyfile[i],
+ x509ctype,
+ NULL, 0, NULL, 0,
+ 0, 0);
+ if (ret < 0) {
+ fprintf(stderr, "Error reading '%s' or '%s'\n",
+ rawpk_file[i], rawpk_keyfile[i]);
+ GERR(ret);
+ exit(1);
+ } else {
+ cert_set = 1;
+ }
+ }
+ }
if (cert_set == 0) {
fprintf(stderr,
if (x509_certfile_size != x509_keyfile_size) {
fprintf(stderr, "The certificate number provided (%u) doesn't match the keys (%u)\n",
x509_certfile_size, x509_keyfile_size);
+ exit(1);
}
if (HAVE_OPT(X509CAFILE))
x509_cafile = OPT_ARG(X509CAFILE);
if (HAVE_OPT(X509CRLFILE))
x509_crlfile = OPT_ARG(X509CRLFILE);
+
+ if (HAVE_OPT(RAWPKKEYFILE)) {
+ rawpk_keyfile = STACKLST_OPT(RAWPKKEYFILE);
+ rawpk_keyfile_size = STACKCT_OPT(RAWPKKEYFILE);
+ }
+
+ if (HAVE_OPT(RAWPKFILE)) {
+ rawpk_file = STACKLST_OPT(RAWPKFILE);
+ rawpk_file_size = STACKCT_OPT(RAWPKFILE);
+ }
+
+ if (rawpk_file_size != rawpk_keyfile_size) {
+ fprintf(stderr, "The number of raw public-keys provided (%u) doesn't match the number of corresponding private keys (%u)\n",
+ rawpk_file_size, rawpk_keyfile_size);
+ exit(1);
+ }
if (HAVE_OPT(SRPPASSWD))
srp_passwd = OPT_ARG(SRPPASSWD);
projects / thirdparty / gnutls.git / commitdiff
