/* Reads a PEM encoded PKCS-1 RSA/DSA private key from memory. Type
* indicates the certificate format.
*
* It returns the private key read in @rkey.
*/
int
_gnutls_read_key_mem(gnutls_certificate_credentials_t res,
const void *key, int key_size, gnutls_x509_crt_fmt_t type,
const char *pass, unsigned int flags,
gnutls_privkey_t *rkey)
{
int ret;
gnutls_datum_t tmp;
gnutls_privkey_t privkey;
if (key) {
tmp.data = (uint8_t *) key;
tmp.size = key_size;
ret = gnutls_privkey_init(&privkey);
if (ret < 0) {
gnutls_assert();
return ret;
}
if (res->pin.cb) {
gnutls_privkey_set_pin_function(privkey,
res->pin.cb,
res->pin.data);
} else if (pass != NULL) {
snprintf(res->pin_tmp, sizeof(res->pin_tmp), "%s",
pass);
gnutls_privkey_set_pin_function(privkey,
tmp_pin_cb,
res->pin_tmp);
}
ret =
gnutls_privkey_import_x509_raw(privkey, &tmp, type,
pass, flags);
if (ret < 0) {
gnutls_assert();
gnutls_privkey_deinit(privkey);
return ret;
}
*rkey = privkey;
} else {
gnutls_assert();
return GNUTLS_E_INVALID_REQUEST;
}
return 0;
}
/* Reads a private key from a token.
*/
static int
read_key_url(gnutls_certificate_credentials_t res, const char *url, gnutls_privkey_t *rkey)
{
int ret;
gnutls_privkey_t pkey = NULL;
/* allocate space for the pkey list
*/
ret = gnutls_privkey_init(&pkey);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
if (res->pin.cb)
gnutls_privkey_set_pin_function(pkey, res->pin.cb,
res->pin.data);
ret = gnutls_privkey_import_url(pkey, url, 0);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
*rkey = pkey;
return 0;
cleanup:
if (pkey)
gnutls_privkey_deinit(pkey);
return ret;
}
void
sec_mod_server(struct cfg_st* config, const char* socket_file)
{
struct sockaddr_un sa;
socklen_t sa_len;
int cfd, ret, e;
unsigned i, buffer_size, type;
gnutls_privkey_t *key;
uint8_t *buffer;
unsigned key_size = config->key_size;
struct pin_st pins;
gnutls_datum_t data, out;
uint16_t length;
struct iovec iov[2];
int sd;
#if defined(SO_PEERCRED) && defined(HAVE_STRUCT_UCRED)
struct ucred cr;
socklen_t cr_len;
#endif
ocsignal(SIGHUP, SIG_IGN);
ocsignal(SIGINT, SIG_DFL);
ocsignal(SIGTERM, SIG_DFL);
#ifdef HAVE_PKCS11
ret = gnutls_pkcs11_reinit();
if (ret < 0) {
syslog(LOG_WARNING, "error in PKCS #11 reinitialization: %s", gnutls_strerror(ret));
}
#endif
buffer_size = 8*1024;
buffer = malloc(buffer_size);
if (buffer == NULL) {
syslog(LOG_ERR, "error in memory allocation");
exit(1);
}
memset(&sa, 0, sizeof(sa));
sa.sun_family = AF_UNIX;
snprintf(sa.sun_path, sizeof(sa.sun_path), "%s", socket_file);
remove(socket_file);
sd = socket(AF_UNIX, SOCK_STREAM, 0);
if (sd == -1) {
e = errno;
syslog(LOG_ERR, "could not create socket '%s': %s", socket_file, strerror(e));
exit(1);
}
umask(066);
ret = bind(sd, (struct sockaddr *)&sa, SUN_LEN(&sa));
if (ret == -1) {
e = errno;
syslog(LOG_ERR, "could not bind socket '%s': %s", socket_file, strerror(e));
exit(1);
}
ret = chown(socket_file, config->uid, config->gid);
if (ret == -1) {
e = errno;
syslog(LOG_ERR, "could not chown socket '%s': %s", socket_file, strerror(e));
}
ret = listen(sd, 1024);
if (ret == -1) {
e = errno;
syslog(LOG_ERR, "could not listen to socket '%s': %s", socket_file, strerror(e));
exit(1);
}
ret = load_pins(config, &pins);
if (ret < 0) {
syslog(LOG_ERR, "error loading PIN files");
exit(1);
}
key = malloc(sizeof(*key)*config->key_size);
if (key == NULL) {
syslog(LOG_ERR, "error in memory allocation");
exit(1);
}
/* read private keys */
for (i=0;i<key_size;i++) {
ret = gnutls_privkey_init(&key[i]);
GNUTLS_FATAL_ERR(ret);
/* load the private key */
if (gnutls_url_is_supported(config->key[i]) != 0) {
gnutls_privkey_set_pin_function (key[i], pin_callback, &pins);
ret = gnutls_privkey_import_url(key[i], config->key[i], 0);
GNUTLS_FATAL_ERR(ret);
} else {
ret = gnutls_load_file(config->key[i], &data);
if (ret < 0) {
syslog(LOG_ERR, "error loading file '%s'", config->key[i]);
GNUTLS_FATAL_ERR(ret);
}
ret = gnutls_privkey_import_x509_raw(key[i], &data, GNUTLS_X509_FMT_PEM, NULL, 0);
GNUTLS_FATAL_ERR(ret);
gnutls_free(data.data);
}
}
syslog(LOG_INFO, "sec-mod initialized (socket: %s)", socket_file);
for (;;) {
sa_len = sizeof(sa);
cfd = accept(sd, (struct sockaddr *)&sa, &sa_len);
if (cfd == -1) {
e = errno;
syslog(LOG_ERR, "sec-mod error accepting connection: %s", strerror(e));
continue;
}
#if defined(SO_PEERCRED) && defined(HAVE_STRUCT_UCRED)
cr_len = sizeof(cr);
ret = getsockopt(cfd, SOL_SOCKET, SO_PEERCRED, &cr, &cr_len);
if (ret == -1) {
e = errno;
syslog(LOG_ERR, "sec-mod error obtaining peer credentials: %s", strerror(e));
goto cont;
}
syslog(LOG_DEBUG, "sec-mod received request from pid %u and uid %u", (unsigned)cr.pid, (unsigned)cr.uid);
if (cr.uid != config->uid || cr.gid != config->gid) {
syslog(LOG_ERR, "sec-mod received unauthorized request from pid %u and uid %u", (unsigned)cr.pid, (unsigned)cr.uid);
goto cont;
}
#endif
/* read request */
ret = recv(cfd, buffer, buffer_size, 0);
if (ret == 0)
goto cont;
else if (ret <= 2) {
e = errno;
syslog(LOG_ERR, "error receiving sec-mod data: %s", strerror(e));
goto cont;
}
/* calculate */
i = buffer[0];
type = buffer[1];
if (i >= key_size) {
syslog(LOG_ERR, "sec-mod received out-of-bounds key index");
goto cont;
}
data.data = &buffer[2];
data.size = ret - 2;
if (type == 'S') {
#if GNUTLS_VERSION_NUMBER >= 0x030200
ret = gnutls_privkey_sign_hash(key[i], 0, GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA, &data, &out);
#else
ret = gnutls_privkey_sign_raw_data(key[i], 0, &data, &out);
#endif
} else if (type == 'D') {
ret = gnutls_privkey_decrypt_data(key[i], 0, &data, &out);
} else {
syslog(LOG_ERR, "unknown type 0x%.2x", type);
goto cont;
}
if (ret < 0) {
syslog(LOG_ERR, "sec-mod error in crypto operation: %s", gnutls_strerror(ret));
goto cont;
}
/* write reply */
length = out.size;
iov[0].iov_base = &length;
iov[0].iov_len = 2;
iov[1].iov_base = out.data;
iov[1].iov_len = out.size;
ret = writev(cfd, iov, 2);
if (ret == -1) {
e = errno;
syslog(LOG_ERR, "sec-mod error in writev: %s", strerror(e));
}
gnutls_free(out.data);
cont:
close(cfd);
}
}
void doit(void)
{
int ret;
const char *lib;
gnutls_privkey_t key;
gnutls_pkcs11_obj_t obj;
gnutls_datum_t sig = {NULL, 0}, data;
unsigned flags = 0;
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
{
void *dl;
unsigned int *pflags;
dl = dlopen(lib, RTLD_NOW);
if (dl == NULL) {
fail("could not dlopen %s\n", lib);
exit(1);
}
pflags = dlsym(dl, "pkcs11_mock_flags");
if (pflags == NULL) {
fail("could find pkcs11_mock_flags\n");
exit(1);
}
*pflags = MOCK_FLAG_ALWAYS_AUTH;
}
data.data = (void*)"\x38\x17\x0c\x08\xcb\x45\x8f\xd4\x87\x9c\x34\xb6\xf6\x08\x29\x4c\x50\x31\x2b\xbb";
data.size = 20;
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_obj_init(&obj);
assert(ret>=0);
gnutls_pkcs11_obj_set_pin_function(obj, pin_func, NULL);
ret = gnutls_pkcs11_obj_import_url(obj, "pkcs11:object=test;type=private", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
assert(ret>=0);
ret = gnutls_pkcs11_obj_get_flags(obj, &flags);
assert(ret>=0);
if (!(flags & GNUTLS_PKCS11_OBJ_FLAG_MARK_ALWAYS_AUTH)) {
fail("key object doesn't have the always authenticate flag\n");
}
gnutls_pkcs11_obj_deinit(obj);
ret = gnutls_privkey_init(&key);
assert(ret>=0);
gnutls_privkey_set_pin_function(key, pin_func, NULL);
ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
pin_called = 0;
ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
if (pin_called == 0) {
fail("PIN function wasn't called!\n");
}
pin_called = 0;
gnutls_free(sig.data);
/* call again - should re-authenticate */
ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
if (pin_called == 0) {
fail("PIN function wasn't called twice!\n");
}
pin_called = 0;
gnutls_free(sig.data);
if (debug)
printf("done\n\n\n");
gnutls_privkey_deinit(key);
gnutls_pkcs11_deinit();
gnutls_global_deinit();
}
void doit(void)
{
int ret;
const char *lib;
gnutls_privkey_t key;
gnutls_pubkey_t pub;
gnutls_datum_t m1, e1;
gnutls_datum_t m2, e2;
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_init(&key);
assert(ret>=0);
ret = gnutls_pubkey_init(&pub);
assert(ret>=0);
gnutls_privkey_set_pin_function(key, pin_func, NULL);
ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_import_privkey(pub, key, 0, 0);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_export_rsa_raw(pub, &m1, &e1);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_pubkey_deinit(pub);
gnutls_privkey_deinit(key);
/* try again using gnutls_pubkey_import_url */
ret = gnutls_pubkey_init(&pub);
assert(ret>=0);
ret = gnutls_pubkey_import_url(pub, "pkcs11:object=test;type=public", 0);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pubkey_export_rsa_raw(pub, &m2, &e2);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
assert(m1.size == m2.size);
assert(e1.size == e2.size);
assert(memcmp(e1.data, e2.data, e2.size)==0);
assert(memcmp(m1.data, m2.data, m2.size)==0);
gnutls_pubkey_deinit(pub);
gnutls_free(m1.data);
gnutls_free(e1.data);
gnutls_free(m2.data);
gnutls_free(e2.data);
gnutls_pkcs11_deinit();
gnutls_global_deinit();
}
/**
* gnutls_certificate_set_x509_key:
* @res: is a #gnutls_certificate_credentials_t type.
* @cert_list: contains a certificate list (path) for the specified private key
* @cert_list_size: holds the size of the certificate list
* @key: is a #gnutls_x509_privkey_t key
*
* This function sets a certificate/private key pair in the
* gnutls_certificate_credentials_t type. This function may be
* called more than once, in case multiple keys/certificates exist for
* the server. For clients that wants to send more than their own end
* entity certificate (e.g., also an intermediate CA cert) then put
* the certificate chain in @cert_list.
*
* Note that the certificates and keys provided, can be safely deinitialized
* after this function is called.
*
* If that function fails to load the @res type is at an undefined state, it must
* not be reused to load other keys or certificates.
*
* Note that, this function by default returns zero on success and a negative value on error.
* Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags()
* it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair.
*
* Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior).
*
* Since: 2.4.0
**/
int
gnutls_certificate_set_x509_key(gnutls_certificate_credentials_t res,
gnutls_x509_crt_t * cert_list,
int cert_list_size,
gnutls_x509_privkey_t key)
{
int ret;
gnutls_privkey_t pkey;
gnutls_pcert_st *pcerts = NULL;
gnutls_str_array_t names;
_gnutls_str_array_init(&names);
/* this should be first
*/
ret = gnutls_privkey_init(&pkey);
if (ret < 0) {
gnutls_assert();
return ret;
}
if (res->pin.cb)
gnutls_privkey_set_pin_function(pkey, res->pin.cb,
res->pin.data);
ret =
gnutls_privkey_import_x509(pkey, key,
GNUTLS_PRIVKEY_IMPORT_COPY);
if (ret < 0) {
gnutls_assert();
return ret;
}
/* load certificates */
pcerts = gnutls_malloc(sizeof(gnutls_pcert_st) * cert_list_size);
if (pcerts == NULL) {
gnutls_assert();
return GNUTLS_E_MEMORY_ERROR;
}
ret = _gnutls_get_x509_name(cert_list[0], &names);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
gnutls_pcert_import_x509_list(pcerts, cert_list, (unsigned int*)&cert_list_size,
GNUTLS_X509_CRT_LIST_SORT);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
ret =
_gnutls_certificate_credential_append_keypair(res, pkey, names, pcerts,
cert_list_size);
if (ret < 0) {
gnutls_assert();
goto cleanup;
}
res->ncerts++;
/* after this point we do not deinitialize anything on failure to avoid
* double freeing. We intentionally keep everything as the credentials state
* is documented to be on undefined state. */
if ((ret = _gnutls_check_key_cert_match(res)) < 0) {
gnutls_assert();
return ret;
}
CRED_RET_SUCCESS(res);
cleanup:
gnutls_free(pcerts);
_gnutls_str_array_clear(&names);
return ret;
}
static int load_keys(sec_mod_st *sec, unsigned force)
{
unsigned i, need_reload = 0;
int ret;
struct pin_st pins;
static time_t last_access = 0;
for (i = 0; i < sec->perm_config->key_size; i++) {
if (need_file_reload(sec->perm_config->key[i], last_access) != 0) {
need_reload = 1;
break;
}
}
if (need_reload == 0)
return 0;
last_access = time(0);
ret = load_pins(sec->perm_config, &pins);
if (ret < 0) {
seclog(sec, LOG_ERR, "error loading PIN files");
exit(1);
}
/* Reminder: the number of private keys or their filenames cannot be changed on reload
*/
if (sec->key == NULL) {
sec->key_size = sec->perm_config->key_size;
sec->key = talloc_zero_size(sec, sizeof(*sec->key) * sec->perm_config->key_size);
if (sec->key == NULL) {
seclog(sec, LOG_ERR, "error in memory allocation");
exit(1);
}
}
/* read private keys */
for (i = 0; i < sec->key_size; i++) {
gnutls_privkey_t p;
ret = gnutls_privkey_init(&p);
CHECK_LOOP_ERR(ret);
/* load the private key */
if (gnutls_url_is_supported(sec->perm_config->key[i]) != 0) {
gnutls_privkey_set_pin_function(p,
pin_callback, &pins);
ret =
gnutls_privkey_import_url(p,
sec->perm_config->key[i], 0);
CHECK_LOOP_ERR(ret);
} else {
gnutls_datum_t data;
ret = gnutls_load_file(sec->perm_config->key[i], &data);
if (ret < 0) {
seclog(sec, LOG_ERR, "error loading file '%s'",
sec->perm_config->key[i]);
CHECK_LOOP_ERR(ret);
}
ret =
gnutls_privkey_import_x509_raw(p, &data,
GNUTLS_X509_FMT_PEM,
NULL, 0);
if (ret == GNUTLS_E_DECRYPTION_FAILED && pins.pin[0]) {
ret =
gnutls_privkey_import_x509_raw(p, &data,
GNUTLS_X509_FMT_PEM,
pins.pin, 0);
}
CHECK_LOOP_ERR(ret);
gnutls_free(data.data);
}
if (sec->key[i] != NULL) {
gnutls_privkey_deinit(sec->key[i]);
}
sec->key[i] = p;
}
return 0;
}
void doit(void)
{
int ret;
const char *lib;
gnutls_privkey_t key;
gnutls_datum_t sig = {NULL, 0}, data;
pid_t pid;
data.data = (void*)"\x38\x17\x0c\x08\xcb\x45\x8f\xd4\x87\x9c\x34\xb6\xf6\x08\x29\x4c\x50\x31\x2b\xbb";
data.size = 20;
ret = global_init();
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_global_set_log_function(tls_log_func);
if (debug)
gnutls_global_set_log_level(4711);
lib = getenv("P11MOCKLIB1");
if (lib == NULL)
lib = P11LIB;
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_pkcs11_add_provider(lib, NULL);
if (ret != 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_init(&key);
assert(ret>=0);
gnutls_privkey_set_pin_function(key, pin_func, NULL);
ret = gnutls_privkey_import_url(key, "pkcs11:object=test", GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_free(sig.data);
pid = fork();
if (pid != 0) {
int status;
assert(waitpid(pid, &status, 0) >= 0);
if (WEXITSTATUS(status) != 0) {
fail("child return status was unexpected: %d\n", WEXITSTATUS(status));
exit(1);
}
} else { /* child */
ret = gnutls_pkcs11_reinit();
assert(ret == 0);
ret = gnutls_privkey_sign_hash(key, GNUTLS_DIG_SHA1, 0, &data, &sig);
if (ret < 0) {
fail("%d: %s\n", ret, gnutls_strerror(ret));
exit(1);
}
gnutls_free(sig.data);
gnutls_privkey_deinit(key);
gnutls_pkcs11_deinit();
gnutls_global_deinit();
exit(0);
}
if (debug)
printf("done\n\n\n");
gnutls_privkey_deinit(key);
gnutls_pkcs11_deinit();
gnutls_global_deinit();
}
/* Load the certificate and the private key.
*/
static void
load_keys (void)
{
unsigned int crt_num;
int ret;
unsigned int i;
gnutls_datum_t data = { NULL, 0 };
gnutls_x509_crt_t crt_list[MAX_CRT];
unsigned char keyid[GNUTLS_OPENPGP_KEYID_SIZE];
if (x509_certfile != NULL && x509_keyfile != NULL)
{
#ifdef ENABLE_PKCS11
if (strncmp (x509_certfile, "pkcs11:", 7) == 0)
{
crt_num = 1;
gnutls_x509_crt_init (&crt_list[0]);
gnutls_x509_crt_set_pin_function(crt_list[0], pin_callback, NULL);
ret =
gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile, 0);
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
ret =
gnutls_x509_crt_import_pkcs11_url (crt_list[0], x509_certfile,
GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
if (ret < 0)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
x509_crt_size = 1;
}
else
#endif /* ENABLE_PKCS11 */
{
ret = gnutls_load_file (x509_certfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading cert file.\n");
exit (1);
}
crt_num = MAX_CRT;
ret =
gnutls_x509_crt_list_import (crt_list, &crt_num, &data,
x509ctype,
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
if (ret < 0)
{
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER)
{
fprintf (stderr,
"*** Error loading cert file: Too many certs %d\n",
crt_num);
}
else
{
fprintf (stderr,
"*** Error loading cert file: %s\n",
gnutls_strerror (ret));
}
exit (1);
}
x509_crt_size = ret;
}
for (i=0;i<x509_crt_size;i++)
{
ret = gnutls_pcert_import_x509(&x509_crt[i], crt_list[i], 0);
if (ret < 0)
{
fprintf(stderr, "*** Error importing crt to pcert: %s\n",
gnutls_strerror(ret));
exit(1);
}
gnutls_x509_crt_deinit(crt_list[i]);
}
gnutls_free (data.data);
ret = gnutls_privkey_init(&x509_key);
if (ret < 0)
{
fprintf (stderr, "*** Error initializing key: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_privkey_set_pin_function(x509_key, pin_callback, NULL);
if (gnutls_url_is_supported(x509_keyfile) != 0)
{
ret =
gnutls_privkey_import_url (x509_key, x509_keyfile, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
}
else
{
ret = gnutls_load_file (x509_keyfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file.\n");
exit (1);
}
ret = gnutls_privkey_import_x509_raw( x509_key, &data, x509ctype, NULL, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_free(data.data);
}
fprintf (stdout, "Processed %d client X.509 certificates...\n",
x509_crt_size);
}
#ifdef ENABLE_OPENPGP
if (HAVE_OPT(PGPSUBKEY))
{
get_keyid (keyid, OPT_ARG(PGPSUBKEY));
}
if (pgp_certfile != NULL && pgp_keyfile != NULL)
{
gnutls_openpgp_crt_t tmp_pgp_crt;
ret = gnutls_load_file (pgp_certfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading PGP cert file.\n");
exit (1);
}
gnutls_openpgp_crt_init (&tmp_pgp_crt);
ret =
gnutls_pcert_import_openpgp_raw (&pgp_crt, &data, GNUTLS_OPENPGP_FMT_BASE64, HAVE_OPT(PGPSUBKEY)?keyid:NULL, 0);
if (ret < 0)
{
fprintf (stderr,
"*** Error loading PGP cert file: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_free (data.data);
ret = gnutls_privkey_init(&pgp_key);
if (ret < 0)
{
fprintf (stderr, "*** Error initializing key: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_privkey_set_pin_function(pgp_key, pin_callback, NULL);
if (gnutls_url_is_supported (pgp_keyfile))
{
ret = gnutls_privkey_import_url( pgp_key, pgp_keyfile, 0);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
}
else
{
ret = gnutls_load_file (pgp_keyfile, &data);
if (ret < 0)
{
fprintf (stderr, "*** Error loading key file.\n");
exit (1);
}
if (HAVE_OPT(PGPSUBKEY))
ret = gnutls_privkey_import_openpgp_raw( pgp_key, &data, x509ctype, keyid, NULL);
else
ret = gnutls_privkey_import_openpgp_raw( pgp_key, &data, x509ctype, NULL, NULL);
if (ret < 0)
{
fprintf (stderr, "*** Error loading url: %s\n",
gnutls_strerror (ret));
exit (1);
}
gnutls_free(data.data);
}
fprintf (stdout, "Processed 1 client PGP certificate...\n");
}
#endif
}
