[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SCM] GNU gnutls branch, new, updated. gnutls_2_9_10-51-gb94f9dc
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
[SCM] GNU gnutls branch, new, updated. gnutls_2_9_10-51-gb94f9dc |
|
Date: |
Tue, 18 May 2010 21:52:07 +0000 |
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU gnutls".
http://git.savannah.gnu.org/cgit/gnutls.git/commit/?id=b94f9dc069ffd9143c6dfba453f2431f7f432c34
The branch, new has been updated
via b94f9dc069ffd9143c6dfba453f2431f7f432c34 (commit)
via ec3aa863655ea92241fac82b73b486c744185f17 (commit)
via 262dcdafc3438392ad5fac65218150294422d1bf (commit)
via 8cbc9a3483bcfabdc0e28881e753041439688326 (commit)
via 61977e2157e742b5d3b3fb0c98f659c983f1b850 (commit)
via 11e038dfb69c3258fea776cae13376d4c8f27909 (commit)
via 0ec6485208488ec04fe5a7caf2564f37cb1747b1 (commit)
via 1065b0aa01b564f11c3a727f394a16980b2917b6 (commit)
via 67a0577dc49e12e2998d5ee4f65f783fdbf939d8 (commit)
from 32138bf001b3c8ebd65a8773b03ec4c1b4295961 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit b94f9dc069ffd9143c6dfba453f2431f7f432c34
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue May 18 23:45:08 2010 +0200
Documented that the --file options in gnutls-cli and gnutls-serv can accept
a PKCS #11 URL.
commit ec3aa863655ea92241fac82b73b486c744185f17
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue May 18 23:41:22 2010 +0200
Corrected bug in DSA signature generation.
commit 262dcdafc3438392ad5fac65218150294422d1bf
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue May 18 23:18:07 2010 +0200
Added operations to sign CRLs, certificates and requests with an abstract
key and thus with a PKCS #11 key as well.
commit 8cbc9a3483bcfabdc0e28881e753041439688326
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue May 18 22:26:13 2010 +0200
privkey.h -> abstract.h
commit 61977e2157e742b5d3b3fb0c98f659c983f1b850
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue May 18 22:17:34 2010 +0200
The gnutls-cli --x509cafile can now be a PKCS #11 URL. It can read
gnome-keyring's
certificates and use them in the trusted list.
commit 11e038dfb69c3258fea776cae13376d4c8f27909
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Sun May 16 14:08:27 2010 +0200
Documented that gnutls_global_init calls gnutls_pkcs11_init.
commit 0ec6485208488ec04fe5a7caf2564f37cb1747b1
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue May 18 21:36:43 2010 +0200
Documented behavioral change.
commit 1065b0aa01b564f11c3a727f394a16980b2917b6
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue May 18 21:26:25 2010 +0200
Because we want to differentiate the behavior of server
and client with regards to safe renegotiation. If a server didn't
have either SAFE_RENEGOTIATION or UNSAFE_RENEGOTIATION set the
safe renegotiation will be the default. This (as well as the
safe_renegotiation_set flag) has to be removed once safe
renegotiation is default in both server and client side.
commit 67a0577dc49e12e2998d5ee4f65f783fdbf939d8
Author: Nikos Mavrogiannopoulos <address@hidden>
Date: Tue May 18 21:17:07 2010 +0200
Emulate old gnutls behavior regarding safe renegotiation if the priority_*
functions are not called.
-----------------------------------------------------------------------
Summary of changes:
doc/manpages/gnutls-cli.1 | 7 +-
lib/Makefile.am | 9 +-
lib/auth_cert.c | 2 +-
lib/auth_cert.h | 2 +-
lib/configure.ac | 2 +-
lib/gnutls_int.h | 1 +
lib/gnutls_priority.c | 41 ++++++-
lib/gnutls_privkey.c | 4 +-
lib/gnutls_sig.h | 2 +-
lib/gnutls_state.c | 5 +
lib/gnutls_x509.c | 75 +++++++++++++-
lib/gnutls_x509.h | 2 +-
lib/includes/gnutls/{privkey.h => abstract.h} | 16 +++
lib/libgnutls.map | 3 +
lib/openpgp/gnutls_openpgp.h | 2 +-
lib/pkcs11.c | 3 +
lib/x509/crl_write.c | 74 ++++++++++++--
lib/x509/crq.c | 143 +++++++++++++++++++------
lib/x509/mpi.c | 3 +-
lib/x509/sign.c | 72 +++++++------
lib/x509/x509_int.h | 12 +--
lib/x509/x509_write.c | 75 ++++++++++++--
src/cli-gaa.c | 6 +-
src/cli.c | 1 +
src/cli.gaa | 6 +-
src/serv-gaa.c | 6 +-
src/serv.gaa | 6 +-
27 files changed, 455 insertions(+), 125 deletions(-)
rename lib/includes/gnutls/{privkey.h => abstract.h} (71%)
diff --git a/doc/manpages/gnutls-cli.1 b/doc/manpages/gnutls-cli.1
index 4e1f483..f69eff3 100644
--- a/doc/manpages/gnutls-cli.1
+++ b/doc/manpages/gnutls-cli.1
@@ -146,13 +146,14 @@ SRP password to use.
.IP "\-\-srpusername \fINAME\fR"
SRP username to use.
.IP "\-\-x509cafile \fIFILE\fR"
-Certificate file to use.
+Certificate file to use. This option accepts PKCS \#11 URLs such as
+pkcs11:token=Root%20CA%20Certificates;serial=1%3AROOTS%3ADEFAULT;model=1%2E0;manufacturer=Gnome%20Keyring
.IP "\-\-x509certfile \fIFILE\fR"
-X.509 Certificate file to use.
+X.509 Certificate file to use, or a PKCS \#11 URL.
.IP "\-\-x509fmtder"
Use DER format for certificates
.IP "\-\-x509keyfile \fIFILE\fR"
-X.509 key file to use.
+X.509 key file or PKCS \#11 URL to use.
.IP "\-\-x509crlfile \fIFILE\fR"
X.509 CRL file to use.
.IP "\-\-pskusername \fINAME\fR"
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 8446975..b80467e 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -82,11 +82,8 @@ COBJECTS = gnutls_record.c gnutls_compress.c debug.c
gnutls_cipher.c \
auth_dh_common.c gnutls_helper.c gnutls_supplemental.c \
crypto.c random.c pk-libgcrypt.c mpi-libgcrypt.c cryptodev.c \
rnd-libgcrypt.c cipher-libgcrypt.c mac-libgcrypt.c ext_signature.c \
- crypto-api.c ext_safe_renegotiation.c gnutls_privkey.c
-
-if ENABLE_PKCS11
-COBJECTS += pkcs11.c pkcs11_privkey.c
-endif
+ crypto-api.c ext_safe_renegotiation.c gnutls_privkey.c \
+ pkcs11.c pkcs11_privkey.c
if ENABLE_OPRFI
COBJECTS += $(OPRFI_COBJECTS)
@@ -138,7 +135,7 @@ else
libgnutls_la_LDFLAGS += $(LTLIBTASN1)
endif
-if ENABLE_PKCS11
+if ENABLE_PAKCHOIS
libgnutls_la_LDFLAGS += $(LTLIBPAKCHOIS)
endif
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index faee7d7..8d4a7e3 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -45,7 +45,7 @@
#include <gnutls_state.h>
#include <gnutls_pk.h>
#include <gnutls_x509.h>
-#include <gnutls/privkey.h>
+#include <gnutls/abstract.h>
#include "debug.h"
#ifdef ENABLE_OPENPGP
diff --git a/lib/auth_cert.h b/lib/auth_cert.h
index 205eaa7..d8fe300 100644
--- a/lib/auth_cert.h
+++ b/lib/auth_cert.h
@@ -30,7 +30,7 @@
# include "auth_dh_common.h"
# include "x509/x509_int.h"
# include "openpgp/openpgp_int.h"
-# include <gnutls/privkey.h>
+# include <gnutls/abstract.h>
# include <gnutls/compat.h>
/* This structure may be complex, but it's the only way to
diff --git a/lib/configure.ac b/lib/configure.ac
index fdb3857..60a2fd1 100644
--- a/lib/configure.ac
+++ b/lib/configure.ac
@@ -94,7 +94,7 @@ if test x$ac_pakchois != xno; then
else
AC_MSG_RESULT(no)
fi
-AM_CONDITIONAL(ENABLE_PKCS11, test "$ac_cv_libpakchois" = "yes")
+AM_CONDITIONAL(ENABLE_PAKCHOIS, test "$ac_cv_libpakchois" = "yes")
lgl_INIT
diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
index 35c2ca0..a4c01bf 100644
--- a/lib/gnutls_int.h
+++ b/lib/gnutls_int.h
@@ -467,6 +467,7 @@ struct gnutls_priority_st
int unsafe_renegotiation:1;
int initial_safe_renegotiation:1;
int disable_safe_renegotiation:1;
+ int safe_renegotiation_set:1; /* whether the priority string set any
renegotiation parameters */
int ssl3_record_version;
int additional_verify_flags;
};
diff --git a/lib/gnutls_priority.c b/lib/gnutls_priority.c
index 4b1607d..ae7c697 100644
--- a/lib/gnutls_priority.c
+++ b/lib/gnutls_priority.c
@@ -448,6 +448,21 @@ gnutls_priority_set (gnutls_session_t session,
gnutls_priority_t priority)
memcpy (&session->internals.priorities, priority,
sizeof (struct gnutls_priority_st));
+ /* Hack. Because we want to differentiate the behavior of server
+ * and client with regards to safe renegotiation. If a server didn't
+ * have either SAFE_RENEGOTIATION or UNSAFE_RENEGOTIATION set the
+ * safe renegotiation will be the default. This (as well as the
+ * safe_renegotiation_set flag) has to be removed once safe
+ * renegotiation is default in both server and client side.
+ */
+ if (session->security_parameters.entity == GNUTLS_SERVER)
+ {
+ if (session->internals.priorities.safe_renegotiation_set == 0)
+ {
+ session->internals.priorities.unsafe_renegotiation = 0;
+ }
+ }
+
/* set the current version to the first in the chain.
* This will be overridden later.
*/
@@ -523,10 +538,12 @@ gnutls_priority_set (gnutls_session_t session,
gnutls_priority_t priority)
* "%COMPAT" will enable compatibility features for a server.
*
* "%UNSAFE_RENEGOTIATION" will allow unsafe renegotiation (this is now
- * the default, but will change once more servers support the safe
renegotiation
+ * the default for clients, but will change once more servers support the safe
renegotiation
* TLS fix).
*
- * "%SAFE_RENEGOTIATION" will allow safe renegotiation only.
+ * "%SAFE_RENEGOTIATION" will allow safe renegotiation only (this is the
+ * default for servers - that will reject clients trying to perform an
+ * unsafe renegotiation).
*
* "%INITIAL_SAFE_RENEGOTIATION" will force initial safe negotiation even if
* renegotiation wasn't requested. Only valid for server side and implies
@@ -576,6 +593,10 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
gnutls_assert ();
return GNUTLS_E_MEMORY_ERROR;
}
+
+ /* for now unsafe renegotiation is default on everyone. To be removed
+ * when we make it the default.
+ */
(*priority_cache)->unsafe_renegotiation = 1;
if (priorities == NULL)
@@ -727,18 +748,28 @@ gnutls_priority_init (gnutls_priority_t * priority_cache,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT;
else if (strcasecmp (&broken_list[i][1],
"UNSAFE_RENEGOTIATION") == 0)
- (*priority_cache)->unsafe_renegotiation = 1;
+ {
+ (*priority_cache)->unsafe_renegotiation = 1;
+ (*priority_cache)->safe_renegotiation_set = 1;
+ }
else if (strcasecmp (&broken_list[i][1], "SAFE_RENEGOTIATION") == 0)
- (*priority_cache)->unsafe_renegotiation = 0;
+ {
+ (*priority_cache)->unsafe_renegotiation = 0;
+ (*priority_cache)->safe_renegotiation_set = 1;
+ }
else if (strcasecmp (&broken_list[i][1],
"INITIAL_SAFE_RENEGOTIATION") == 0)
{
(*priority_cache)->unsafe_renegotiation = 0;
(*priority_cache)->initial_safe_renegotiation = 1;
+ (*priority_cache)->safe_renegotiation_set = 1;
}
else if (strcasecmp (&broken_list[i][1],
"DISABLE_SAFE_RENEGOTIATION") == 0)
- (*priority_cache)->disable_safe_renegotiation = 1;
+ {
+ (*priority_cache)->disable_safe_renegotiation = 1;
+ (*priority_cache)->safe_renegotiation_set = 1;
+ }
else
goto error;
}
diff --git a/lib/gnutls_privkey.c b/lib/gnutls_privkey.c
index 852333d..4e231f7 100644
--- a/lib/gnutls_privkey.c
+++ b/lib/gnutls_privkey.c
@@ -29,7 +29,7 @@
#include <gnutls_errors.h>
#include <gnutls_datum.h>
#include <pkcs11_int.h>
-#include <gnutls/privkey.h>
+#include <gnutls/abstract.h>
#include <sign.h>
#include <gnutls_pk.h>
#include <x509_int.h>
@@ -322,5 +322,3 @@ int gnutls_privkey_decrypt_data(gnutls_privkey_t key,
}
}
-
-
diff --git a/lib/gnutls_sig.h b/lib/gnutls_sig.h
index f158267..c236fc3 100644
--- a/lib/gnutls_sig.h
+++ b/lib/gnutls_sig.h
@@ -26,7 +26,7 @@
#ifndef GNUTLS_SIG_H
# define GNUTLS_SIG_H
-#include <gnutls/privkey.h>
+#include <gnutls/abstract.h>
int _gnutls_handshake_sign_cert_vrfy (gnutls_session_t session,
gnutls_cert * cert,
diff --git a/lib/gnutls_state.c b/lib/gnutls_state.c
index 356a22e..09b0ed9 100644
--- a/lib/gnutls_state.c
+++ b/lib/gnutls_state.c
@@ -347,6 +347,11 @@ gnutls_init (gnutls_session_t * session,
gnutls_connection_end_t con_end)
_gnutls_handshake_internal_state_init (*session);
+ /* emulate old gnutls behavior for old applications that do not use the
priority_*
+ * functions.
+ */
+ (*session)->internals.priorities.unsafe_renegotiation = 1;
+
return 0;
}
diff --git a/lib/gnutls_x509.c b/lib/gnutls_x509.c
index b2ae575..78953c4 100644
--- a/lib/gnutls_x509.c
+++ b/lib/gnutls_x509.c
@@ -562,6 +562,68 @@ cleanup:
/* Reads a private key from a token.
*/
+static int read_cas_url (gnutls_certificate_credentials_t res, const char* url)
+{
+int ret;
+gnutls_x509_crt_t * xcrt_list = NULL;
+gnutls_pkcs11_crt_t *pcrt_list=NULL;
+unsigned int pcrt_list_size = 0;
+
+ ret = gnutls_pkcs11_crt_list_import_url( NULL, &pcrt_list_size, url,
GNUTLS_PKCS11_CRT_ATTR_TRUSTED);
+ if (ret < 0 && ret != GNUTLS_E_SHORT_MEMORY_BUFFER) {
+ gnutls_assert();
+ return ret;
+ }
+
+ if (pcrt_list_size == 0) {
+ gnutls_assert();
+ return 0;
+ }
+
+ pcrt_list = gnutls_malloc(sizeof(*pcrt_list)*pcrt_list_size);
+ if (pcrt_list == NULL) {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
+ ret = gnutls_pkcs11_crt_list_import_url( pcrt_list, &pcrt_list_size,
url, GNUTLS_PKCS11_CRT_ATTR_TRUSTED);
+ if (ret < 0) {
+ gnutls_assert();
+ goto cleanup;
+ }
+
+ xcrt_list = gnutls_malloc(sizeof(*xcrt_list)*pcrt_list_size);
+ if (xcrt_list == NULL) {
+ gnutls_assert();
+ ret = GNUTLS_E_MEMORY_ERROR;
+ goto cleanup;
+ }
+
+ ret = gnutls_x509_crt_list_import_pkcs11(xcrt_list, pcrt_list_size,
pcrt_list, 0);
+ if (xcrt_list == NULL) {
+ gnutls_assert();
+ ret = GNUTLS_E_MEMORY_ERROR;
+ goto cleanup;
+ }
+
+ res->x509_ca_list = xcrt_list;
+ res->x509_ncas = pcrt_list_size;
+
+ gnutls_free(pcrt_list);
+
+ return pcrt_list_size;
+
+cleanup:
+ gnutls_free(xcrt_list);
+ gnutls_free(pcrt_list);
+
+ return ret;
+
+}
+
+
+/* Reads a private key from a token.
+ */
static int read_cert_url (gnutls_certificate_credentials_t res, const char*
url)
{
int ret;
@@ -883,6 +945,9 @@ gnutls_certificate_set_x509_key
(gnutls_certificate_credentials_t res,
* Currently only PKCS-1 encoded RSA and DSA private keys are accepted by
* this function.
*
+ * This function can also accept PKCS #11 URLs. In that case it
+ * will import the private key and certificate indicated by the urls.
+ *
* Returns: %GNUTLS_E_SUCCESS on success, or an error code.
**/
int
@@ -1285,6 +1350,9 @@ gnutls_certificate_set_x509_trust
(gnutls_certificate_credentials_t res,
* the client if a certificate request is sent. This can be disabled
* using gnutls_certificate_send_x509_rdn_sequence().
*
+ * This function can also accept PKCS #11 URLs. In that case it
+ * will import all certificates that are marked as trusted.
+ *
* Returns: number of certificates processed, or a negative value on
* error.
**/
@@ -1295,8 +1363,13 @@ gnutls_certificate_set_x509_trust_file
(gnutls_certificate_credentials_t res,
{
int ret, ret2;
size_t size;
- char *data = read_binary_file (cafile, &size);
+ char* data;
+
+ if (strncmp(cafile, "pkcs11:", 7)==0) {
+ return read_cas_url(res, cafile);
+ }
+ data = read_binary_file (cafile, &size);
if (data == NULL)
{
gnutls_assert ();
diff --git a/lib/gnutls_x509.h b/lib/gnutls_x509.h
index 7865271..545adad 100644
--- a/lib/gnutls_x509.h
+++ b/lib/gnutls_x509.h
@@ -24,7 +24,7 @@
*/
#include <libtasn1.h>
-#include <gnutls/privkey.h>
+#include <gnutls/abstract.h>
int _gnutls_x509_cert_verify_peers (gnutls_session_t session,
unsigned int *status);
diff --git a/lib/includes/gnutls/privkey.h b/lib/includes/gnutls/abstract.h
similarity index 71%
rename from lib/includes/gnutls/privkey.h
rename to lib/includes/gnutls/abstract.h
index c6cdef5..8e75dce 100644
--- a/lib/includes/gnutls/privkey.h
+++ b/lib/includes/gnutls/abstract.h
@@ -34,4 +34,20 @@ int gnutls_privkey_decrypt_data(gnutls_privkey_t signer,
const gnutls_datum_t * ciphertext,
gnutls_datum_t * plaintext);
+int gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t
issuer,
+ gnutls_privkey_t issuer_key,
+ gnutls_digest_algorithm_t dig,
+ unsigned int flags);
+
+int gnutls_x509_crl_privkey_sign (gnutls_x509_crl_t crl,
+ gnutls_x509_crt_t issuer,
+ gnutls_privkey_t issuer_key,
+ gnutls_digest_algorithm_t dig,
+ unsigned int flags);
+
+int gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq,
+ gnutls_privkey_t key,
+ gnutls_digest_algorithm_t dig,
+ unsigned int flags);
+
#endif
diff --git a/lib/libgnutls.map b/lib/libgnutls.map
index 7f9fa81..dd234f7 100644
--- a/lib/libgnutls.map
+++ b/lib/libgnutls.map
@@ -646,6 +646,9 @@ GNUTLS_2_11
gnutls_privkey_sign_hash;
gnutls_privkey_decrypt_data;
gnutls_pkcs11_privkey_export_url;
+ gnutls_x509_crq_privkey_sign;
+ gnutls_x509_crl_privkey_sign;
+ gnutls_x509_crt_privkey_sign;
} GNUTLS_2_10;
diff --git a/lib/openpgp/gnutls_openpgp.h b/lib/openpgp/gnutls_openpgp.h
index 411c5aa..b5f67d4 100644
--- a/lib/openpgp/gnutls_openpgp.h
+++ b/lib/openpgp/gnutls_openpgp.h
@@ -7,7 +7,7 @@
#include <auth_cert.h>
#include <opencdk.h>
-#include <gnutls/privkey.h>
+#include <gnutls/abstract.h>
/* OpenCDK compatible */
typedef enum
diff --git a/lib/pkcs11.c b/lib/pkcs11.c
index 79c0f4e..6bc291d 100644
--- a/lib/pkcs11.c
+++ b/lib/pkcs11.c
@@ -223,6 +223,9 @@ static int init = 0;
* you to independently load PKCS 11 modules using gnutls_pkcs11_add_provider()
* if %GNUTLS_PKCS11_FLAG_MANUAL is specified.
*
+ * Normally you don't need to call this function since it is being called
+ * by gnutls_global_init(). Otherwise you must call it before it.
+ *
* Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
* negative error value.
**/
diff --git a/lib/x509/crl_write.c b/lib/x509/crl_write.c
index cfc806d..8fcdf8c 100644
--- a/lib/x509/crl_write.c
+++ b/lib/x509/crl_write.c
@@ -101,6 +101,7 @@ gnutls_x509_crl_sign2 (gnutls_x509_crl_t crl,
gnutls_x509_crt_t issuer,
gnutls_digest_algorithm_t dig, unsigned int flags)
{
int result;
+ gnutls_privkey_t privkey;
if (crl == NULL || issuer == NULL)
{
@@ -108,19 +109,33 @@ gnutls_x509_crl_sign2 (gnutls_x509_crl_t crl,
gnutls_x509_crt_t issuer,
return GNUTLS_E_INVALID_REQUEST;
}
- /* disable all the unneeded OPTIONAL fields.
- */
- disable_optional_stuff (crl);
-
- result = _gnutls_x509_pkix_sign (crl->crl, "tbsCertList",
- dig, issuer, issuer_key);
+ result = gnutls_privkey_init(&privkey);
if (result < 0)
{
gnutls_assert ();
return result;
}
- return 0;
+ result = gnutls_privkey_import_x509(privkey, issuer_key, 0);
+ if (result < 0)
+ {
+ gnutls_assert ();
+ goto fail;
+ }
+
+ result = gnutls_x509_crl_privkey_sign (crl, issuer, privkey, dig, flags);
+ if (result < 0)
+ {
+ gnutls_assert ();
+ goto fail;
+ }
+
+ result = 0;
+
+fail:
+ gnutls_privkey_deinit(privkey);
+
+ return result;
}
/**
@@ -441,4 +456,49 @@ gnutls_x509_crl_set_number (gnutls_x509_crl_t crl,
return 0;
}
+/**
+ * gnutls_x509_crl_privkey_sign:
+ * @crl: should contain a gnutls_x509_crl_t structure
+ * @issuer: is the certificate of the certificate issuer
+ * @issuer_key: holds the issuer's private key
+ * @dig: The message digest to use. GNUTLS_DIG_SHA1 is the safe choice unless
you know what you're doing.
+ * @flags: must be 0
+ *
+ * This function will sign the CRL with the issuer's private key, and
+ * will copy the issuer's information into the CRL.
+ *
+ * This must be the last step in a certificate CRL since all
+ * the previously set parameters are now signed.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_x509_crl_privkey_sign (gnutls_x509_crl_t crl, gnutls_x509_crt_t issuer,
+ gnutls_privkey_t issuer_key,
+ gnutls_digest_algorithm_t dig, unsigned int flags)
+{
+ int result;
+
+ if (crl == NULL || issuer == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ /* disable all the unneeded OPTIONAL fields.
+ */
+ disable_optional_stuff (crl);
+
+ result = _gnutls_x509_pkix_sign (crl->crl, "tbsCertList",
+ dig, issuer, issuer_key);
+ if (result < 0)
+ {
+ gnutls_assert ();
+ return result;
+ }
+
+ return 0;
+}
+
#endif /* ENABLE_PKI */
diff --git a/lib/x509/crq.c b/lib/x509/crq.c
index ca21c48..d58c569 100644
--- a/lib/x509/crq.c
+++ b/lib/x509/crq.c
@@ -1010,7 +1010,7 @@ gnutls_x509_crq_sign2 (gnutls_x509_crq_t crq,
gnutls_x509_privkey_t key,
gnutls_digest_algorithm_t dig, unsigned int flags)
{
int result;
- gnutls_datum_t signature;
+ gnutls_privkey_t privkey;
if (crq == NULL)
{
@@ -1018,55 +1018,33 @@ gnutls_x509_crq_sign2 (gnutls_x509_crq_t crq,
gnutls_x509_privkey_t key,
return GNUTLS_E_INVALID_REQUEST;
}
- /* Make sure version field is set. */
- if (gnutls_x509_crq_get_version (crq) == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
- {
- result = gnutls_x509_crq_set_version (crq, 1);
- if (result < 0)
- {
- gnutls_assert ();
- return result;
- }
- }
-
- /* Step 1. Self sign the request.
- */
- result =
- _gnutls_x509_sign_tbs (crq->crq, "certificationRequestInfo",
- dig, key, &signature);
-
+ result = gnutls_privkey_init(&privkey);
if (result < 0)
{
gnutls_assert ();
return result;
}
- /* Step 2. write the signature (bits)
- */
- result =
- asn1_write_value (crq->crq, "signature", signature.data,
- signature.size * 8);
-
- _gnutls_free_datum (&signature);
-
- if (result != ASN1_SUCCESS)
+ result = gnutls_privkey_import_x509(privkey, key, 0);
+ if (result < 0)
{
gnutls_assert ();
- return _gnutls_asn2err (result);
+ goto fail;
}
- /* Step 3. Write the signatureAlgorithm field.
- */
- result = _gnutls_x509_write_sig_params (crq->crq, "signatureAlgorithm",
- key->pk_algorithm, dig, key->params,
- key->params_size);
+ result = gnutls_x509_crq_privkey_sign (crq, privkey, dig, flags);
if (result < 0)
{
gnutls_assert ();
- return result;
+ goto fail;
}
- return 0;
+ result = 0;
+
+fail:
+ gnutls_privkey_deinit(privkey);
+
+ return result;
}
/**
@@ -2445,5 +2423,100 @@ gnutls_x509_crq_get_key_id (gnutls_x509_crq_t crq,
unsigned int flags,
return result;
}
+/**
+ * gnutls_x509_crq_privkey_sign:
+ * @crq: should contain a #gnutls_x509_crq_t structure
+ * @key: holds a private key
+ * @dig: The message digest to use, i.e., %GNUTLS_DIG_SHA1
+ * @flags: must be 0
+ *
+ * This function will sign the certificate request with a private key.
+ * This must be the same key as the one used in
+ * gnutls_x509_crt_set_key() since a certificate request is self
+ * signed.
+ *
+ * This must be the last step in a certificate request generation
+ * since all the previously set parameters are now signed.
+ *
+ * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
+ * %GNUTLS_E_ASN1_VALUE_NOT_FOUND is returned if you didn't set all
+ * information in the certificate request (e.g., the version using
+ * gnutls_x509_crq_set_version()).
+ *
+ **/
+int
+gnutls_x509_crq_privkey_sign (gnutls_x509_crq_t crq, gnutls_privkey_t key,
+ gnutls_digest_algorithm_t dig, unsigned int flags)
+{
+ int result;
+ gnutls_datum_t signature;
+ gnutls_datum_t tbs;
+
+ if (crq == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ /* Make sure version field is set. */
+ if (gnutls_x509_crq_get_version (crq) == GNUTLS_E_ASN1_VALUE_NOT_FOUND)
+ {
+ result = gnutls_x509_crq_set_version (crq, 1);
+ if (result < 0)
+ {
+ gnutls_assert ();
+ return result;
+ }
+ }
+
+ /* Step 1. Self sign the request.
+ */
+ result =
+ _gnutls_x509_get_tbs (crq->crq, "certificationRequestInfo",
+ &tbs);
+
+ if (result < 0)
+ {
+ gnutls_assert ();
+ return result;
+ }
+
+ result = gnutls_privkey_sign_data (key, dig, 0, &tbs, &signature);
+ gnutls_free(tbs.data);
+
+ if (result < 0)
+ {
+ gnutls_assert ();
+ return result;
+ }
+
+ /* Step 2. write the signature (bits)
+ */
+ result =
+ asn1_write_value (crq->crq, "signature", signature.data,
+ signature.size * 8);
+
+ _gnutls_free_datum (&signature);
+
+ if (result != ASN1_SUCCESS)
+ {
+ gnutls_assert ();
+ return _gnutls_asn2err (result);
+ }
+
+ /* Step 3. Write the signatureAlgorithm field.
+ */
+ result = _gnutls_x509_write_sig_params (crq->crq, "signatureAlgorithm",
+ gnutls_privkey_get_pk_algorithm(key,
NULL), dig);
+ if (result < 0)
+ {
+ gnutls_assert ();
+ return result;
+ }
+
+ return 0;
+}
+
+
#endif /* ENABLE_PKI */
diff --git a/lib/x509/mpi.c b/lib/x509/mpi.c
index 0a65d21..3a3bc22 100644
--- a/lib/x509/mpi.c
+++ b/lib/x509/mpi.c
@@ -422,8 +422,7 @@ cleanup:
int
_gnutls_x509_write_sig_params (ASN1_TYPE dst, const char *dst_name,
gnutls_pk_algorithm_t pk_algorithm,
- gnutls_digest_algorithm_t dig,
- bigint_t * params, int params_size)
+ gnutls_digest_algorithm_t dig)
{
int result;
char name[128];
diff --git a/lib/x509/sign.c b/lib/x509/sign.c
index 00e2e2a..ef817c1 100644
--- a/lib/x509/sign.c
+++ b/lib/x509/sign.c
@@ -42,13 +42,14 @@
#include <x509_int.h>
#include <common.h>
#include <sign.h>
+#include <gnutls/abstract.h>
/* Writes the digest information and the digest in a DER encoded
* structure. The digest info is allocated and stored into the info structure.
*/
static int
encode_ber_digest_info (gnutls_digest_algorithm_t hash,
- const gnutls_datum_t * digest, gnutls_datum_t * info)
+ const gnutls_datum_t * digest, gnutls_datum_t * output)
{
ASN1_TYPE dinfo = ASN1_TYPE_EMPTY;
int result;
@@ -100,18 +101,18 @@ encode_ber_digest_info (gnutls_digest_algorithm_t hash,
return _gnutls_asn2err (result);
}
- info->size = 0;
- asn1_der_coding (dinfo, "", NULL, &info->size, NULL);
+ output->size = 0;
+ asn1_der_coding (dinfo, "", NULL, &output->size, NULL);
- info->data = gnutls_malloc (info->size);
- if (info->data == NULL)
+ output->data = gnutls_malloc (output->size);
+ if (output->data == NULL)
{
gnutls_assert ();
asn1_delete_structure (&dinfo);
return GNUTLS_E_MEMORY_ERROR;
}
- result = asn1_der_coding (dinfo, "", info->data, &info->size, NULL);
+ result = asn1_der_coding (dinfo, "", output->data, &output->size, NULL);
if (result != ASN1_SUCCESS)
{
gnutls_assert ();
@@ -165,23 +166,32 @@ int
pk_dsa_hash (const gnutls_datum_t * text, gnutls_datum_t * hash)
{
int ret;
- opaque _digest[MAX_HASH_SIZE];
digest_hd_st hd;
+ hash->size = 20;
+ hash->data = gnutls_malloc(20);
+ if (hash->data == NULL)
+ {
+ gnutls_assert();
+ return GNUTLS_E_MEMORY_ERROR;
+ }
+
ret = _gnutls_hash_init (&hd, GNUTLS_MAC_SHA1);
if (ret < 0)
{
gnutls_assert ();
- return ret;
+ goto fail;
}
_gnutls_hash (&hd, text->data, text->size);
- _gnutls_hash_deinit (&hd, _digest);
-
- hash->data = _digest;
- hash->size = 20;
+ _gnutls_hash_deinit (&hd, hash->data);
return 0;
+
+fail:
+ gnutls_free(hash->data);
+
+ return ret;
}
/* This is the same as the _gnutls_x509_sign, but this one will decode
@@ -189,15 +199,12 @@ pk_dsa_hash (const gnutls_datum_t * text, gnutls_datum_t
* hash)
* of the TBS and sign it on the fly.
*/
int
-_gnutls_x509_sign_tbs (ASN1_TYPE cert, const char *tbs_name,
- gnutls_digest_algorithm_t hash,
- gnutls_x509_privkey_t signer,
- gnutls_datum_t * signature)
+_gnutls_x509_get_tbs (ASN1_TYPE cert, const char *tbs_name,
+ gnutls_datum_t * tbs)
{
int result;
opaque *buf;
int buf_size;
- gnutls_datum_t tbs;
buf_size = 0;
asn1_der_coding (cert, tbs_name, NULL, &buf_size, NULL);
@@ -218,13 +225,10 @@ _gnutls_x509_sign_tbs (ASN1_TYPE cert, const char
*tbs_name,
return _gnutls_asn2err (result);
}
- tbs.data = buf;
- tbs.size = buf_size;
-
- result = gnutls_x509_privkey_sign_data2 (signer, hash, 0, &tbs, signature);
- gnutls_free (buf);
+ tbs->data = buf;
+ tbs->size = buf_size;
- return result;
+ return 0;
}
/*-
@@ -243,10 +247,11 @@ int
_gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name,
gnutls_digest_algorithm_t dig,
gnutls_x509_crt_t issuer,
- gnutls_x509_privkey_t issuer_key)
+ gnutls_privkey_t issuer_key)
{
int result;
gnutls_datum_t signature;
+ gnutls_datum_t tbs;
char name[128];
/* Step 1. Copy the issuer's name into the certificate.
@@ -267,9 +272,7 @@ _gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name,
_gnutls_str_cat (name, sizeof (name), ".signature");
result = _gnutls_x509_write_sig_params (src, name,
- issuer_key->pk_algorithm, dig,
- issuer_key->params,
- issuer_key->params_size);
+
gnutls_privkey_get_pk_algorithm(issuer_key, NULL), dig);
if (result < 0)
{
gnutls_assert ();
@@ -278,7 +281,16 @@ _gnutls_x509_pkix_sign (ASN1_TYPE src, const char
*src_name,
/* Step 2. Sign the certificate.
*/
- result = _gnutls_x509_sign_tbs (src, src_name, dig, issuer_key, &signature);
+ result = _gnutls_x509_get_tbs (src, src_name, &tbs);
+
+ if (result < 0)
+ {
+ gnutls_assert ();
+ return result;
+ }
+
+ result = gnutls_privkey_sign_data (issuer_key, dig, 0, &tbs, &signature);
+ gnutls_free(tbs.data);
if (result < 0)
{
@@ -304,9 +316,7 @@ _gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name,
*/
result = _gnutls_x509_write_sig_params (src, "signatureAlgorithm",
- issuer_key->pk_algorithm, dig,
- issuer_key->params,
- issuer_key->params_size);
+
gnutls_privkey_get_pk_algorithm(issuer_key, NULL), dig);
if (result < 0)
{
gnutls_assert ();
diff --git a/lib/x509/x509_int.h b/lib/x509/x509_int.h
index 7120ab8..12597e9 100644
--- a/lib/x509/x509_int.h
+++ b/lib/x509/x509_int.h
@@ -27,6 +27,7 @@
# define X509_H
#include <gnutls/x509.h>
+#include <gnutls/abstract.h>
#include <libtasn1.h>
@@ -134,14 +135,12 @@ int _gnutls_x509_crl_get_raw_issuer_dn (gnutls_x509_crl_t
crl,
gnutls_datum_t * dn);
/* sign.c */
-int _gnutls_x509_sign_tbs (ASN1_TYPE cert, const char *tbs_name,
- gnutls_digest_algorithm_t hash,
- gnutls_x509_privkey_t signer,
- gnutls_datum_t * signature);
+int _gnutls_x509_get_tbs (ASN1_TYPE cert, const char *tbs_name,
+ gnutls_datum_t * tbs);
int _gnutls_x509_pkix_sign (ASN1_TYPE src, const char *src_name,
gnutls_digest_algorithm_t,
gnutls_x509_crt_t issuer,
- gnutls_x509_privkey_t issuer_key);
+ gnutls_privkey_t issuer_key);
/* dn.c */
#define OID_X520_COUNTRY_NAME "2.5.4.6"
@@ -303,8 +302,7 @@ int _gnutls_x509_write_uint32 (ASN1_TYPE node, const char
*value,
int _gnutls_x509_write_sig_params (ASN1_TYPE dst, const char *dst_name,
gnutls_pk_algorithm_t pk_algorithm,
- gnutls_digest_algorithm_t,
- bigint_t * params, int params_size);
+ gnutls_digest_algorithm_t);
/* pkcs12.h */
#include <gnutls/pkcs12.h>
diff --git a/lib/x509/x509_write.c b/lib/x509/x509_write.c
index 62e0fe8..27bf151 100644
--- a/lib/x509/x509_write.c
+++ b/lib/x509/x509_write.c
@@ -752,6 +752,7 @@ gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt,
gnutls_x509_crt_t issuer,
gnutls_digest_algorithm_t dig, unsigned int flags)
{
int result;
+ gnutls_privkey_t privkey;
if (crt == NULL || issuer == NULL || issuer_key == NULL)
{
@@ -759,19 +760,33 @@ gnutls_x509_crt_sign2 (gnutls_x509_crt_t crt,
gnutls_x509_crt_t issuer,
return GNUTLS_E_INVALID_REQUEST;
}
- /* disable all the unneeded OPTIONAL fields.
- */
- disable_optional_stuff (crt);
-
- result = _gnutls_x509_pkix_sign (crt->cert, "tbsCertificate",
- dig, issuer, issuer_key);
+ result = gnutls_privkey_init(&privkey);
if (result < 0)
{
gnutls_assert ();
return result;
}
- return 0;
+ result = gnutls_privkey_import_x509(privkey, issuer_key, 0);
+ if (result < 0)
+ {
+ gnutls_assert ();
+ goto fail;
+ }
+
+ result = gnutls_x509_crt_privkey_sign (crt, issuer, privkey, dig, flags);
+ if (result < 0)
+ {
+ gnutls_assert ();
+ goto fail;
+ }
+
+ result = 0;
+
+fail:
+ gnutls_privkey_deinit(privkey);
+
+ return result;
}
/**
@@ -1279,4 +1294,50 @@ gnutls_x509_crt_set_key_purpose_oid (gnutls_x509_crt_t
cert,
}
+/**
+ * gnutls_x509_crt_privkey_sign:
+ * @crt: a certificate of type #gnutls_x509_crt_t
+ * @issuer: is the certificate of the certificate issuer
+ * @issuer_key: holds the issuer's private key
+ * @dig: The message digest to use, %GNUTLS_DIG_SHA1 is a safe choice
+ * @flags: must be 0
+ *
+ * This function will sign the certificate with the issuer's private key, and
+ * will copy the issuer's information into the certificate.
+ *
+ * This must be the last step in a certificate generation since all
+ * the previously set parameters are now signed.
+ *
+ * Returns: On success, %GNUTLS_E_SUCCESS is returned, otherwise a
+ * negative error value.
+ **/
+int
+gnutls_x509_crt_privkey_sign (gnutls_x509_crt_t crt, gnutls_x509_crt_t issuer,
+ gnutls_privkey_t issuer_key,
+ gnutls_digest_algorithm_t dig, unsigned int flags)
+{
+ int result;
+
+ if (crt == NULL || issuer == NULL || issuer_key == NULL)
+ {
+ gnutls_assert ();
+ return GNUTLS_E_INVALID_REQUEST;
+ }
+
+ /* disable all the unneeded OPTIONAL fields.
+ */
+ disable_optional_stuff (crt);
+
+ result = _gnutls_x509_pkix_sign (crt->cert, "tbsCertificate",
+ dig, issuer, issuer_key);
+ if (result < 0)
+ {
+ gnutls_assert ();
+ return result;
+ }
+
+ return 0;
+}
+
+
#endif /* ENABLE_PKI */
diff --git a/src/cli-gaa.c b/src/cli-gaa.c
index 715b43b..fab23f2 100644
--- a/src/cli-gaa.c
+++ b/src/cli-gaa.c
@@ -146,14 +146,14 @@ void gaa_help(void)
__gaa_helpsingle(0, "kx", "kx1 kx2... ", "Key exchange methods to
enable.");
__gaa_helpsingle(0, "ctypes", "certType1 certType2... ", "Certificate
types to enable.");
__gaa_helpsingle(0, "priority", "PRIORITY STRING ", "Priorities
string.");
- __gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file to use.");
+ __gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file or PKCS
#11 URL to use.");
__gaa_helpsingle(0, "x509crlfile", "FILE ", "CRL file to use.");
__gaa_helpsingle(0, "pgpkeyfile", "FILE ", "PGP Key file to use.");
__gaa_helpsingle(0, "pgpkeyring", "FILE ", "PGP Key ring file to use.");
__gaa_helpsingle(0, "pgpcertfile", "FILE ", "PGP Public Key
(certificate) file to use.");
__gaa_helpsingle(0, "pgpsubkey", "HEX|auto ", "PGP subkey to use.");
- __gaa_helpsingle(0, "x509keyfile", "FILE ", "X.509 key file to use.");
- __gaa_helpsingle(0, "x509certfile", "FILE ", "X.509 Certificate file to
use.");
+ __gaa_helpsingle(0, "x509keyfile", "FILE ", "X.509 key file or PKCS #11
URL to use.");
+ __gaa_helpsingle(0, "x509certfile", "FILE ", "X.509 Certificate file or
PKCS #11 URL to use.");
__gaa_helpsingle(0, "srpusername", "NAME ", "SRP username to use.");
__gaa_helpsingle(0, "srppasswd", "PASSWD ", "SRP password to use.");
__gaa_helpsingle(0, "pskusername", "NAME ", "PSK username to use.");
diff --git a/src/cli.c b/src/cli.c
index cbf9452..2d76ec8 100644
--- a/src/cli.c
+++ b/src/cli.c
@@ -582,6 +582,7 @@ init_tls_session (const char *hostname)
gnutls_certificate_set_retrieve_function (xcred, cert_callback);
gnutls_certificate_set_verify_function (xcred, cert_verify_callback);
+ gnutls_certificate_set_verify_flags(xcred,
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
/* send the fingerprint */
#ifdef ENABLE_OPENPGP
diff --git a/src/cli.gaa b/src/cli.gaa
index 72502f7..4aa8f20 100644
--- a/src/cli.gaa
+++ b/src/cli.gaa
@@ -75,7 +75,7 @@ option (ctypes) *STR "certType1 certType2..." { $ctype = $1;
$nctype = @1 } "Cer
option (priority) STR "PRIORITY STRING" { $priorities = $1 } "Priorities
string."
#char *x509_cafile;
-option (x509cafile) STR "FILE" { $x509_cafile = $1 } "Certificate file to use."
+option (x509cafile) STR "FILE" { $x509_cafile = $1 } "Certificate file or PKCS
#11 URL to use."
#char *x509_crlfile;
option (x509crlfile) STR "FILE" { $x509_crlfile = $1 } "CRL file to use."
@@ -93,10 +93,10 @@ option (pgpcertfile) STR "FILE" { $pgp_certfile = $1 } "PGP
Public Key (certific
option (pgpsubkey) STR "HEX|auto" { $pgp_subkey = $1 } "PGP subkey to use."
#char *x509_keyfile;
-option (x509keyfile) STR "FILE" { $x509_keyfile = $1 } "X.509 key file to use."
+option (x509keyfile) STR "FILE" { $x509_keyfile = $1 } "X.509 key file or PKCS
#11 URL to use."
#char *x509_certfile;
-option (x509certfile) STR "FILE" { $x509_certfile = $1 } "X.509 Certificate
file to use."
+option (x509certfile) STR "FILE" { $x509_certfile = $1 } "X.509 Certificate
file or PKCS #11 URL to use."
#char *srp_username;
option (srpusername) STR "NAME" { $srp_username = $1 } "SRP username to use."
diff --git a/src/serv-gaa.c b/src/serv-gaa.c
index 3f762ef..f135b2a 100644
--- a/src/serv-gaa.c
+++ b/src/serv-gaa.c
@@ -135,14 +135,14 @@ void gaa_help(void)
__gaa_helpsingle(0, "echo", "", "Act as an Echo Server.");
__gaa_helpsingle(0, "dhparams", "FILE ", "DH params file to use.");
__gaa_helpsingle(0, "x509fmtder", "", "Use DER format for
certificates");
- __gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file to use.");
+ __gaa_helpsingle(0, "x509cafile", "FILE ", "Certificate file or PKCS
#11 URL to use.");
__gaa_helpsingle(0, "x509crlfile", "FILE ", "CRL file to use.");
__gaa_helpsingle(0, "pgpkeyring", "FILE ", "PGP Key ring file to use.");
__gaa_helpsingle(0, "pgpkeyfile", "FILE ", "PGP Key file to use.");
__gaa_helpsingle(0, "pgpcertfile", "FILE ", "PGP Public Key
(certificate) file to use.");
__gaa_helpsingle(0, "pgpsubkey", "HEX|auto ", "PGP subkey to use.");
- __gaa_helpsingle(0, "x509keyfile", "FILE ", "X.509 key file to use.");
- __gaa_helpsingle(0, "x509certfile", "FILE ", "X.509 Certificate file to
use.");
+ __gaa_helpsingle(0, "x509keyfile", "FILE ", "X.509 key file or PKCS #11
URL to use.");
+ __gaa_helpsingle(0, "x509certfile", "FILE ", "X.509 Certificate file or
PKCS #11 URL to use.");
__gaa_helpsingle(0, "x509dsakeyfile", "FILE ", "Alternative X.509 key
file to use.");
__gaa_helpsingle(0, "x509dsacertfile", "FILE ", "Alternative X.509
certificate file to use.");
__gaa_helpsingle('r', "require-cert", "", "Require a valid
certificate.");
diff --git a/src/serv.gaa b/src/serv.gaa
index 474542d..a6eb908 100644
--- a/src/serv.gaa
+++ b/src/serv.gaa
@@ -38,7 +38,7 @@ option (dhparams) STR "FILE" { $dh_params_file = $1 } "DH
params file to use."
option (x509fmtder) { $fmtder = 1 } "Use DER format for certificates"
#char *x509_cafile;
-option (x509cafile) STR "FILE" { $x509_cafile = $1 } "Certificate file to use."
+option (x509cafile) STR "FILE" { $x509_cafile = $1 } "Certificate file or PKCS
#11 URL to use."
#char *x509_crlfile;
option (x509crlfile) STR "FILE" { $x509_crlfile = $1 } "CRL file to use."
@@ -56,10 +56,10 @@ option (pgpcertfile) STR "FILE" { $pgp_certfile = $1 } "PGP
Public Key (certific
option (pgpsubkey) STR "HEX|auto" { $pgp_subkey = $1 } "PGP subkey to use."
#char *x509_keyfile;
-option (x509keyfile) STR "FILE" { $x509_keyfile = $1 } "X.509 key file to use."
+option (x509keyfile) STR "FILE" { $x509_keyfile = $1 } "X.509 key file or PKCS
#11 URL to use."
#char *x509_certfile;
-option (x509certfile) STR "FILE" { $x509_certfile = $1 } "X.509 Certificate
file to use."
+option (x509certfile) STR "FILE" { $x509_certfile = $1 } "X.509 Certificate
file or PKCS #11 URL to use."
#char *x509_dsakeyfile;
option (x509dsakeyfile) STR "FILE" { $x509_dsakeyfile = $1 } "Alternative
X.509 key file to use."
hooks/post-receive
--
GNU gnutls
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [SCM] GNU gnutls branch, new, updated. gnutls_2_9_10-51-gb94f9dc,
Nikos Mavrogiannopoulos <=