int main(void) { int rc; gnutls_certificate_credentials_t crt; gnutls_datum_t crldatum = { (uint8_t *) crl, strlen(crl) }; gnutls_x509_crl_t crl; rc = global_init(); if (rc) { printf("global_init rc %d: %s\n", rc, gnutls_strerror(rc)); return 1; } rc = gnutls_certificate_allocate_credentials(&crt); if (rc) { printf ("gnutls_certificate_allocate_credentials rc %d: %s\n", rc, gnutls_strerror(rc)); return 1; } rc = gnutls_certificate_set_x509_crl_mem(crt, &crldatum, GNUTLS_X509_FMT_PEM); if (rc != 1) { printf("gnutls_certificate_set_x509_crl_mem num %d\n", rc); return 1; } rc = gnutls_x509_crl_init(&crl); if (rc) { printf("gnutls_x509_crl_init rc %d: %s\n", rc, gnutls_strerror(rc)); return 1; } rc = gnutls_x509_crl_import(crl, &crldatum, GNUTLS_X509_FMT_PEM); if (rc) { printf("gnutls_x509_crl_import rc %d: %s\n", rc, gnutls_strerror(rc)); return 1; } rc = gnutls_certificate_set_x509_crl(crt, &crl, 1); if (rc < 0) { printf("gnutls_certificate_set_x509_crl rc %d: %s\n", rc, gnutls_strerror(rc)); return 1; } gnutls_x509_crl_deinit(crl); gnutls_certificate_free_credentials(crt); gnutls_global_deinit(); return 0; }
/** Sets the trusted CA and the certificate revocation list * to use when verifying certificates */ void SetCA(std::auto_ptr<X509CertList>& certlist, std::auto_ptr<X509CRL>& CRL) { // Do nothing if certlist is NULL if (certlist.get()) { int ret = gnutls_certificate_set_x509_trust(cred, certlist->raw(), certlist->size()); ThrowOnError(ret, "gnutls_certificate_set_x509_trust() failed"); if (CRL.get()) { ret = gnutls_certificate_set_x509_crl(cred, &CRL->get(), 1); ThrowOnError(ret, "gnutls_certificate_set_x509_crl() failed"); } trustedca = certlist; crl = CRL; } }
/** * gnutls_certificate_set_x509_simple_pkcs12_mem: * @res: is a #gnutls_certificate_credentials_t type. * @p12blob: the PKCS#12 blob. * @type: is PEM or DER of the @pkcs12file. * @password: optional password used to decrypt PKCS#12 file, bags and keys. * * This function sets a certificate/private key pair and/or a CRL in * the gnutls_certificate_credentials_t type. This function may * be called more than once (in case multiple keys/certificates exist * for the server). * * Encrypted PKCS#12 bags and PKCS#8 private keys are supported. However, * only password based security, and the same password for all * operations, are supported. * * PKCS#12 file may contain many keys and/or certificates, and this * function will try to auto-detect based on the key ID the certificate * and key pair to use. If the PKCS#12 file contain the issuer of * the selected certificate, it will be appended to the certificate * to form a chain. * * If more than one private keys are stored in the PKCS#12 file, * then only one key will be read (and it is undefined which one). * * It is believed that the limitations of this function is acceptable * for most usage, and that any more flexibility would introduce * complexity that would make it harder to use this functionality at * all. * * Note that, this function by default returns zero on success and a negative value on error. * Since 3.5.6, when the flag %GNUTLS_CERTIFICATE_API_V2 is set using gnutls_certificate_set_flags() * it returns an index (greater or equal to zero). That index can be used to other functions to refer to the added key-pair. * * Returns: On success this functions returns zero, and otherwise a negative value on error (see above for modifying that behavior). * * Since: 2.8.0 **/ int gnutls_certificate_set_x509_simple_pkcs12_mem (gnutls_certificate_credentials_t res, const gnutls_datum_t * p12blob, gnutls_x509_crt_fmt_t type, const char *password) { gnutls_pkcs12_t p12; gnutls_x509_privkey_t key = NULL; gnutls_x509_crt_t *chain = NULL; gnutls_x509_crl_t crl = NULL; unsigned int chain_size = 0, i; int ret, idx; ret = gnutls_pkcs12_init(&p12); if (ret < 0) { gnutls_assert(); return ret; } ret = gnutls_pkcs12_import(p12, p12blob, type, 0); if (ret < 0) { gnutls_assert(); gnutls_pkcs12_deinit(p12); return ret; } if (password) { ret = gnutls_pkcs12_verify_mac(p12, password); if (ret < 0) { gnutls_assert(); gnutls_pkcs12_deinit(p12); return ret; } } ret = gnutls_pkcs12_simple_parse(p12, password, &key, &chain, &chain_size, NULL, NULL, &crl, 0); gnutls_pkcs12_deinit(p12); if (ret < 0) { gnutls_assert(); return ret; } if (key && chain) { ret = gnutls_certificate_set_x509_key(res, chain, chain_size, key); if (ret < 0) { gnutls_assert(); goto done; } idx = ret; } else { gnutls_assert(); ret = GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE; goto done; } if (crl) { ret = gnutls_certificate_set_x509_crl(res, &crl, 1); if (ret < 0) { gnutls_assert(); goto done; } } if (res->flags & GNUTLS_CERTIFICATE_API_V2) ret = idx; else ret = 0; done: if (chain) { for (i = 0; i < chain_size; i++) gnutls_x509_crt_deinit(chain[i]); gnutls_free(chain); } if (key) gnutls_x509_privkey_deinit(key); if (crl) gnutls_x509_crl_deinit(crl); return ret; }
void certificate_credentials::set_x509_crl (gnutls_x509_crl_t * crl_list, int crl_list_size) { RETWRAP (gnutls_certificate_set_x509_crl (cred, crl_list, crl_list_size)); }