int main(void)
{
int rc;
gnutls_certificate_credentials_t crt;
gnutls_datum_t crldatum = { (uint8_t *) crl, strlen(crl) };
gnutls_x509_crl_t crl;
rc = global_init();
if (rc) {
printf("global_init rc %d: %s\n", rc, gnutls_strerror(rc));
return 1;
}
rc = gnutls_certificate_allocate_credentials(&crt);
if (rc) {
printf
("gnutls_certificate_allocate_credentials rc %d: %s\n",
rc, gnutls_strerror(rc));
return 1;
}
rc = gnutls_certificate_set_x509_crl_mem(crt, &crldatum,
GNUTLS_X509_FMT_PEM);
if (rc != 1) {
printf("gnutls_certificate_set_x509_crl_mem num %d\n", rc);
return 1;
}
rc = gnutls_x509_crl_init(&crl);
if (rc) {
printf("gnutls_x509_crl_init rc %d: %s\n", rc,
gnutls_strerror(rc));
return 1;
}
rc = gnutls_x509_crl_import(crl, &crldatum, GNUTLS_X509_FMT_PEM);
if (rc) {
printf("gnutls_x509_crl_import rc %d: %s\n", rc,
gnutls_strerror(rc));
return 1;
}
rc = gnutls_certificate_set_x509_crl(crt, &crl, 1);
if (rc < 0) {
printf("gnutls_certificate_set_x509_crl rc %d: %s\n",
rc, gnutls_strerror(rc));
return 1;
}
gnutls_x509_crl_deinit(crl);
gnutls_certificate_free_credentials(crt);
gnutls_global_deinit();
return 0;
}
/** Sets the trusted CA and the certificate revocation list
* to use when verifying certificates
*/
void SetCA(std::auto_ptr<X509CertList>& certlist, std::auto_ptr<X509CRL>& CRL)
{
// Do nothing if certlist is NULL
if (certlist.get())
{
int ret = gnutls_certificate_set_x509_trust(cred, certlist->raw(), certlist->size());
ThrowOnError(ret, "gnutls_certificate_set_x509_trust() failed");
if (CRL.get())
{
ret = gnutls_certificate_set_x509_crl(cred, &CRL->get(), 1);
ThrowOnError(ret, "gnutls_certificate_set_x509_crl() failed");
}
trustedca = certlist;
crl = CRL;
}
}
/**
* gnutls_certificate_set_x509_simple_pkcs12_mem:
* @res: is a #gnutls_certificate_credentials_t type.
* @p12blob: the PKCS#12 blob.
* @type: is PEM or DER of the @pkcs12file.
* @password: optional password used to decrypt PKCS#12 file, bags and keys.
*
* This function sets a certificate/private key pair and/or a CRL in
* the gnutls_certificate_credentials_t type. This function may
* be called more than once (in case multiple keys/certificates exist
* for the server).
*
* Encrypted PKCS#12 bags and PKCS#8 private keys are supported. However,
* only password based security, and the same password for all
* operations, are supported.
*
* PKCS#12 file may contain many keys and/or certificates, and this
* function will try to auto-detect based on the key ID the certificate
* and key pair to use. If the PKCS#12 file contain the issuer of
* the selected certificate, it will be appended to the certificate
* to form a chain.
*
* If more than one private keys are stored in the PKCS#12 file,
* then only one key will be read (and it is undefined which one).
*
* It is believed that the limitations of this function is acceptable
* for most usage, and that any more flexibility would introduce
* complexity that would make it harder to use this functionality at
* all.
*
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
* Since: 2.8.0
**/
int
gnutls_certificate_set_x509_simple_pkcs12_mem
(gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob,
gnutls_x509_crt_fmt_t type, const char *password) {
gnutls_pkcs12_t p12;
gnutls_x509_privkey_t key = NULL;
gnutls_x509_crt_t *chain = NULL;
gnutls_x509_crl_t crl = NULL;
unsigned int chain_size = 0, i;
int ret, idx;
ret = gnutls_pkcs12_init(&p12);
if (ret < 0) {
gnutls_assert();
return ret;
}
ret = gnutls_pkcs12_import(p12, p12blob, type, 0);
if (ret < 0) {
gnutls_assert();
gnutls_pkcs12_deinit(p12);
return ret;
}
if (password) {
ret = gnutls_pkcs12_verify_mac(p12, password);
if (ret < 0) {
gnutls_assert();
gnutls_pkcs12_deinit(p12);
return ret;
}
}
ret =
gnutls_pkcs12_simple_parse(p12, password, &key, &chain,
&chain_size, NULL, NULL, &crl, 0);
gnutls_pkcs12_deinit(p12);
if (ret < 0) {
gnutls_assert();
return ret;
}
if (key && chain) {
ret =
gnutls_certificate_set_x509_key(res, chain, chain_size,
key);
if (ret < 0) {
gnutls_assert();
goto done;
}
idx = ret;
} else {
gnutls_assert();
ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
goto done;
}
if (crl) {
ret = gnutls_certificate_set_x509_crl(res, &crl, 1);
if (ret < 0) {
gnutls_assert();
goto done;
}
}
if (res->flags & GNUTLS_CERTIFICATE_API_V2)
ret = idx;
else
ret = 0;
done:
if (chain) {
for (i = 0; i < chain_size; i++)
gnutls_x509_crt_deinit(chain[i]);
gnutls_free(chain);
}
if (key)
gnutls_x509_privkey_deinit(key);
if (crl)
gnutls_x509_crl_deinit(crl);
return ret;
}
void certificate_credentials::set_x509_crl (gnutls_x509_crl_t * crl_list,
int crl_list_size)
{
RETWRAP (gnutls_certificate_set_x509_crl (cred, crl_list, crl_list_size));
}
